[OpenAFS] AFS Token / Kerberos v5 ticket

Jeffrey Altman jaltman at secure-endpoints.com
Mon Oct 19 12:26:39 EDT 2009


Remi:

Can you please explain what it is that you are attempting
to accomplish?

An AFS token can created in a number of methods.  Not all of which
are Kerberos v5.  tkt_DecodeTicket5() can only be used when the
kvno of the AFS token is RXKAD_TKT_TYPE_KERBEROS_V5 or
RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY.  To decrypt the ticket
you need to have possession of the afs service principal key
that matches the kvno in the Kerberos v5 ticket.

>From your previous e-mail to kerberos at mit.edu I know that you
are trying to print your own AFS tokens.  I do not understand
why you aren't simply using "aklog -keytab <keytab> -principal
<principal> -cell <cellname>" which will produce a new token
for the specified principal in the specified cell using the key
in the provided keytab.  Why do you need to decrypt the existing
AFS token?  In order to decrypt the old token you would need to
have the key for the afs service principal, if you have that then
you can simply print a token whenever you want for whomever you
want.

On 9/29 you said the reason for this project is to permit
automated token renewal for users that remotely login via SSH.
I would think long and hard as to the risks associated with
placing copies of your afs service principal keys on such machines.
If that key becomes compromised, the attacker can do anything they
want to the data in your cell or pretend to be anyone to your cell.
Are the benefits worth the risk?

Jeffrey Altman


Remi Ferrand wrote:
> Hi,
> 
> I'm trying to find a way to decrypt efficiently an AFS Token created
> with "kinit + aklog" in order to access the encrypted data.
> 
> Every attempt I made to use the tkt_DecodeTicket5 function was
> unsuccessful (this function is supposed to exist for this purpose, isn't
> it ?)
> 
> My last (and ultimate) idea is to map the AFS Token to a krb5_ticket and
> to decrypt it with the krb5_decrypt_tkt_part function.
> That's not an easy trick and I would like to know if someone has already
> written something about this ....
> 
> My questions are :
> * Is it possible to map an AFS Token to a krb5_ticket and decrypt it
> using krb5_decrypt_tkt_part function ?
>     The encrypted part of AFS Tokens created with "kinit+aklog" is based
> on the krb5_encrypt_tkt_part function so I think that's possible.
> 
> * Does anyone have already tried something like this ?
>     Anyone could help me doing this ?
> 
> For sure, any other idea to access the encrypted content of the AFS
> Tokens created with "kinit + aklog" are accepted.
> 
> Thanks in advance
> 
> Remi
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3368 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20091019/3e11fe88/attachment.bin


More information about the Kerberos mailing list