svn commit: lorikeet r254 - in trunk/white-papers: .
abartlet at samba.org
abartlet at samba.org
Thu Apr 14 01:07:00 GMT 2005
Author: abartlet
Date: 2005-04-14 01:07:00 +0000 (Thu, 14 Apr 2005)
New Revision: 254
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=lorikeet&rev=254
Log:
Add future requirements, references
Andrew Bartlett
Modified:
trunk/white-papers/gensec-white-paper.lyx
Changeset:
Modified: trunk/white-papers/gensec-white-paper.lyx
===================================================================
--- trunk/white-papers/gensec-white-paper.lyx 2005-04-13 22:56:53 UTC (rev 253)
+++ trunk/white-papers/gensec-white-paper.lyx 2005-04-14 01:07:00 UTC (rev 254)
@@ -56,6 +56,12 @@
\layout Standard
+The series of subsystems presented in this paper are the culmination of
+ four years of thought and development, since the first `Authentication
+ rewrite' work on the then Samba HEAD development branch back in 2001.
+
+\layout Standard
+
Because Samba4 took the challenge to match Microsoft's latest releases exactly,
the issues surrounding Active Directory, and modern security technologies
quickly came to the fore.
@@ -275,8 +281,12 @@
\layout Standard
On the Microsoft side of the fence, it is well known that Microsoft uses
- a subsystem called SSPI (Security Support Porvider Interface) to handle
- almost all their network authentication and encryption interactions.
+ a subsystem called SSPI (Security Support Porvider Interface)
+\begin_inset LatexCommand \citep{sspi}
+
+\end_inset
+
+ to handle almost all their network authentication and encryption interactions.
This module, modeled after GSSAPI but without API compatibility, provides
all windows applications, but in particular the OS itself, with a single
interface to these `security functions'.
@@ -322,7 +332,7 @@
\layout Standard
In short, Samba's client applications must no longer unconditionally prompt
- for a password, and instead handle some appropriate callback.
+ for a password, and must instead provide some appropriate callback.
\layout Section*
@@ -362,13 +372,23 @@
\layout List
\labelwidthstring 00.00.0000
-NTLMSSP The standard NTLM challenge response system, used by all modern
- windows systems.
+NTLMSSP
+\begin_inset LatexCommand \citep{opengroupntlm,davenportntlm}
+
+\end_inset
+
+ The standard NTLM challenge response system, used by all modern windows
+ systems.
\layout List
\labelwidthstring 00.00.0000
-Kerberos Kerberos, oringally from MIT's project Athena is a crypographicly
- secure trusted-third-party security system.
+Kerberos
+\begin_inset LatexCommand \citep{mitkrb5}
+
+\end_inset
+
+ Kerberos, oringally from MIT's project Athena is a crypographicly secure
+ trusted-third-party security system.
Kerberos version 5 (krb5) is the current standard.
\layout List
\labelwidthstring 00.00.0000
@@ -386,7 +406,7 @@
\labelwidthstring 00.00.0000
SCHANNEL Schannel is the security mechanism used between Microsoft client
- workstations and servers for domain membership, and used the machine trust
+ workstations and servers for domain membership, and uses the machine trust
account.
\layout Standard
@@ -453,8 +473,8 @@
\family default
utility.
This needed substatial extension, but unlike the code used in the rest
- of Samba3, this was quite practical, and did not drasticly alter the parse
- layer.
+ of Samba3, this was quite practical as it already possesed distinct parse
+ and logic layers.
\layout Standard
This code now selects between the registered GENSEC mechanisms, in choosing
@@ -533,7 +553,7 @@
The solution was to replace all these arguments with a single context pointer,
on which the low-level code may now inquire for the information it actually
- requires.
+ requires, and which may be expanded without changing all the layers in-between.
Likewise, the command-line parsing code now has a single place to fill
in the information it knows, as well as how well it knows it (guessed from
an environment variable, specified on the command line etc).
@@ -554,12 +574,6 @@
\layout Subsection*
-Local Authentication
-\layout Subsection*
-
-Domain Membership
-\layout Subsection*
-
Interfaces
\layout Section*
@@ -613,10 +627,17 @@
Pass length-bounded packets of data between the peers, until both are satisfied
with the negotiation.
+\layout List
+\labelwidthstring 00.00.0000
+
+
+\family typewriter
+gensec_set_credentials
+\family default
+() This API links an existing credentials context to this GENSEC context.
\layout Standard
-Other APIs are provided to obtain information to the server about the incoming
- client, as well as to control the user-name and password that is sent.
+Other APIs are provided to obtain information such as the name of the client.
Because GENSEC is all
\family typewriter
talloc()
@@ -856,15 +877,43 @@
\layout Section*
Future requirements
+\layout Standard
+
+GENSEC and the other security subsystems with which it collaborates are
+ not the end of the line in this area: there is still a lot of work to do,
+ particularly as we try and assist other projects in the use of this infrustruct
+ure, and as we cope with newer requirements on the Samba code generally.
\layout Subsection*
Asyncronous request support
+\layout Standard
+
+The particular area that looms as a change for GENSEC is that of asyncronous
+ request support.
+ This involves saving state regarding the progress of the GENSEC transation
+ into the context, such that the state machine can return to the main processing
+ loop, and be recalled later.
+ This is currently an issue in the NTLMSSP server, where we contact a remote
+ domain controller, and we must process other packets while we wait for
+ a reply.
+ Likewise, we would hope not to block in the GENSEC client, while we wait
+ for packets to return from a KDC we may need to talk to.
\layout Subsection*
Moving beyond Samba
\layout Standard
+As GENSEC becomes more useful, we also should seriously consider how it
+ is best used outside Samba.
+ For example, many projects are now using Samba's ntlm_auth to handle NTLMSSP
+ authentication, but at some point soon they may wish to handle SPNEGO,
+ and more particularly the signing and sealing of the subsequent data streams.
+ It is likely that this may require GENSEC to be rewitten into an external
+ library, (as it is rather Samba-specific at this point), but this is yet
+ to be determined.
+\layout Standard
+
\begin_inset LatexCommand \BibTeX[plainnat]{/home/data/samba/lorikeet/samba4-ad-thesis/thesis,/home/data/samba/lorikeet/samba4-ad-thesis/rfc}
\end_inset
More information about the samba-cvs
mailing list