[OpenAFS] AFS Token / Kerberos v5 ticket

Rainer Toebbicke rtb at pclella.cern.ch
Tue Oct 20 06:59:45 EDT 2009 

Xavier,

the "forge" code that Remi tried to get working is capable of decrypting an 
AFS token both for K4 and K5, however it can only re-encrypt a K4 one, not K5.

When he asked me for advice I suggested to drop that code and rather use 
Heimdal's kadmin extract to temporarily extract a keytab entry for the user in 
question and then simply do a "kinit -k" + aklog to build a new token for 
shipment back to the batch worker.

This is also possible with MIT Kerberos, using a mod to ktutil developed by 
Andrei.

Sure enough, all this has to take place on a trusted server using an 
authenticated and secure channel, no keys are available to the batch worker.

For both, once the batch job is running, within the ticket refresh period an 
occasional "kinit -R" + aklog is sufficient and safer.

BTW: for the brave, "impersonating" as a user (which is what your batch system 
does in the end) is also possible without hacking or C-coding, using a 
suitably mapped certificate, with Heimdal and even Windows. Probably MIT as 
well. Just increasingly tricky to keep it hackerproof.

Cheers, Rainer

Xavier Canehan schrieb:

> Our home made batch system used to save and forge kas tickets. No 
> Kerberos 5, not very secure, easiest. Moreover, it was just navigating 
> through bit fields to forge a ticket. No AFS primitive implied.
> 
> We are migrating: away from current batch system and to Kerberos 5.
> During process, we have to modify our batch system, whilst main 
> developer retired.
> 
> As Rémi worked on Kerberos 5 migration here, he has been volunteered to 
> provided code to migrate our batch system. Thus, he is investigating 
> several options to cope either with kas, fakeka, K5.
> He may have not been clear: we are not willing to put a keyfile in 
> unsecure places. We have to modify our batch master and prepare the 
> place for the next.
> 
> Thanks to every one who helped, either with directions or code.
> Rémi is adapting code from Rainer Toebbicke. If not successful, we will 
> certainly switch to Heimdal, as suggested by Derrick Brashear.
> 
> 

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rainer Toebbicke
European Laboratory for Particle Physics(CERN) - Geneva, Switzerland
Phone: +41 22 767 8985       Fax: +41 22 767 7155

More information about the Kerberos mailing list