[torquedev] patch: gssapi: support integrity protection on authenticated connections

Sergio Gelato Sergio.Gelato at astro.su.se
Thu Jun 7 13:50:06 MDT 2007


* Garrick Staples [2007-06-04 15:35:45 -0700]:
> > The third patch makes use of the new machinery to actually wrap traffic
> > after authentication. Only integrity protection (GSS_C_INTEG_FLAG) is
> > explicitly required; confidentiality (GSS_C_CONF_FLAG) is used if
> > the security context supports it (that was the case in my tests).
> 
> Can non-gssapi builds still talk to gssapi builds with these patches?

The design is such that the answer should be affirmative.
Wrapping is only turned on after successful GSS security context
establishment, which obviously won't happen unless both ends include
the GSSAPI support. Without the wrapping, the security context will
be GSS_C_NO_CONTEXT and the corresponding code paths are essentially
unchanged from the non-gssapi version of tcp_dis.c. Also, I did test
operation without the third patch.

... I've just tested job submission from a non-gssapi 2.1.6 client to 
a gssapi server with the patches we are talking about. It works, 
as long as the server's ACL grants that kind of access. 
I still haven't tested a gssapi client against a non-gssapi server,
but if you have such a server running it should be straightforward to
try it yourself. I expect it to work as well as it did before.

What may not be working so well is job submission using a gssapi
client to a gssapi server by a user who doesn't hold valid, forwardable GSS
crentials; but that's a preexisting problem, not a result of my patches. 
(The problem is that req_quejob() tries to pbsgss_save_creds() 
even when no delegated credentials are available. I don't see this as a 
good reason to reject a batch job; it may cause problems in environments
--- like mine --- where the delegated credentials are needed either by the 
job while it's running or by MOM when returning the output files to the 
client, but not every site will be in this situation. If all you want 
GSSAPI for is to improve on pbs_iff, you don't really need credentials 
delegation.)

Needless to say, older gssapi builds won't talk to newer gssapi builds.
But that should be OK, as the gssapi code hasn't made it into a release
yet.


More information about the torquedev mailing list