Is this too big of a change?

Douglas E. Engert deengert at anl.gov
Mon Aug 26 14:41:45 EDT 2002 

Ken Hornstein wrote:
> 
> >The OpenAFS and Arla community is working on support for somewhat more
> >native krb5  authentication to AFS.  Servers will support the
> >encrypted part of a krb5 ticket sent with a special kvno as  an AFS
> >token.  It turns out that if you have a special krb524d this
> >improvement allows you to upgrade to doing krb5 AFS without any client
> >changes.
> 
> I think this is a great change, but one question: it seems like you could
> do this _without_ the involvement of krb524d, right?  I mean, aklog should
> have all of the pieces it needs without involving krb524d.

Yes it should, as it sounds like they are planing on using the client's
capability to store a K5 ticket as a token which as added by Transarc for
the AFS - DFS migration tool. 

The modified aklog called ak5log which we have ben using since at least 1998 
with krb5-1.0.5  has an option -dfs  If present it would not use the krb524
routines but would use the K5 ticket as the token.  aklog_main.c:

   396      if (afsdfs) {     /* ticket should be type 5 */
   397         cp = (char *)&username;
   398         j = krb5_princ_size(context, v5cred->client);
   399         for(i=0; i<j; i++) {
   400           k = krb5_princ_component(context,v5cred->client,i)->length;
   401           bcopy(krb5_princ_component(context,v5cred->client,i)->data,cp,k);
   402           cp += k;
   403               *cp = '/';
   404           cp++;
   405         }
   406         cp--;
   407             *cp = '\0';
   408
   409         atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
   410         atoken.startTime = v5cred->times.starttime;
   411         atoken.endTime = v5cred->times.endtime;
   412         /* should test for the length and for type */
   413         bcopy(v5cred->keyblock.contents, &atoken.sessionKey, 8);
   414
   415         atoken.ticketLen = v5cred->ticket.length;
   416         bcopy(v5cred->ticket.data, atoken.ticket, v5cred->ticket.length);
 

If anyone in interested, see ftp://achilles.ctd.anl.gov/pub/kerberos.v5/ak5log.20010824.tar

> 
> I know, it's easier to upgrade one server than all of the clients, so the
> change still makes sense; I'm just thinking about the "mid-term" solution.
> 
> --Ken
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list