- Wednesday, October 29, 2014

openafs@conference.openafs.org

Wednesday, October 29, 2014< ^ >

Room Configuration

Room Occupants

GMT+0
[01:19:40] mvita joins the room
[01:46:39] ballbery leaves the room
[02:00:53] ballbery joins the room
[02:26:12] mvita leaves the room
[02:26:13] mvita joins the room
[02:57:05] mvita leaves the room
[03:07:04] mvita joins the room
[03:50:40] mvita leaves the room
[09:58:34] wiesand joins the room
[10:31:38] mvita joins the room
[10:58:32] mvita leaves the room
[13:57:33] kaduk joins the room
[14:01:05] meffie joins the room
[14:05:31] <wiesand> Hello
[14:05:45] <wiesand> Very sorry, I'm distracted for a few moments
[14:05:49] <kaduk> Hi.
[looks at room name]
[14:07:19] <wiesand> see what I mean ? ;-)
[14:07:26] <kaduk> ;)
[14:15:03] mvita joins the room
[14:22:20] mvita leaves the room
[14:22:29] mvita joins the room
[14:47:35] meffie leaves the room
[14:47:38] meffie joins the room
[15:30:34] ktdreyer joins the room
[15:39:03] wiesand leaves the room
[15:46:31] ktdreyer leaves the room
[16:32:22] Simon Wilkinson joins the room
[16:32:35] meffie leaves the room
[16:32:36] meffie joins the room
[16:32:57] <kaduk> Hey Simon
[16:34:01] <kaduk> off-topic, but I have a gss-openssh question
[16:34:41] <Simon Wilkinson> sure
[16:36:08] <kaduk> In openssh 6.7 (?), they switched to a table-driven scheme for converting key exchange method string names and constant identifiers
[16:36:52] <kaduk> The old/existing gss-keyex patches relied on behavior that did a prefix match for the string names, since there's also a base64-encoded suffix for the GSS mech OID.
[16:37:08] <Simon Wilkinson> Yup
[16:37:44] <kaduk> This doesn't work in the table-driven scheme, so it seems like we need to specify a list of mechanisms at compile time. It seems like the gss-server code already has a hardcoded list of mechanims for authentication, though (just krb5), so I'm skeptical that other GSS mechs were ever used for key exchange.
[16:37:47] <kaduk> What do you think?
[16:38:31] <Simon Wilkinson> The GSI folks maintained their own fork of the OpenSSH code which added support for GSI to the list of mechanisms supported server side.
[16:38:50] <Simon Wilkinson> And Sam has support for Moonshot (and, in his pull request, for support for any mechanism server side)
[16:38:55] <kaduk> Ah, that would make sense.
Do we know their mech OID(s)?
[16:39:04] <kaduk> (GSI)
[16:39:06] <Simon Wilkinson> No, but we could potentially find them out.
[16:39:22] <Simon Wilkinson> But the whole idea is to move away from hard coding mech IDs, rather than doing it more.
[16:40:00] <kaduk> The upstream commit which converted to the table-driven scheme also killed some built-in scheme that was using prefix matching, but just expanded out the table to include the three different schemes that were getting matched.
[16:40:23] <kaduk> I'm not sure whether upstream would take a patch to restore prefix-matching behavior in some form, or whether it's a good idea to maintain such a thing as a local patch.
[16:40:33] <kaduk> (Hmm, maybe I should just send mail to the gss-openssh list.)
[16:40:41] <Simon Wilkinson> They probably wouldn't. They don't have any interest in out of tree key-exchange.
[16:42:23] <kaduk> That's kind of what I figured.
[17:57:12] meffie leaves the room
[19:46:32] <kaduk> Are there any current platforms using the inode fileserver?
[20:16:13] meffie joins the room
[21:09:47] <Simon Wilkinson> Solaris, I believe
[21:18:37] <kaduk> (Thinking about how to phrase documentation for it and related issues, since "most systems" don't use it.)
(going afk but will read logs)
[21:18:42] kaduk leaves the room
[22:07:57] meffie leaves the room
[22:36:22] ballbery leaves the room
[22:37:09] ballbery joins the room
[23:31:20] Simon Wilkinson joins the room
[23:32:22] Simon Wilkinson leaves the room