Hack Kerberos / AFS
remi.ferrand at cc.in2p3.fr
Tue Sep 29 04:31:16 EDT 2009
I need help to create a little hack on Kerberos / AFS.
My final aim is to forge Tokens (Ticket Granting Server for AFS (Andrew
File System)) without any passwords from the users (directly with the
Our production system works as follow :
- the client SSH onto a machine and is granted an AFS Token obtained
At this very step, the user have the Ticket Granting Ticket
krbtgt/REALM at REALM ticket and the afs/cell at REALM Ticket Granting
Service. It also have an AFS Token obtained with aklog.
- the user will then submit a job to our Batch system.
- the job will be processed X hours/minutes later and could last a long
Our problem is that some jobs could last more than the AFS token lifetime.
Once this lifetime is expired, jobs could not access AFS filesystems
anymore and will abort.
My idea is to implement a new functionnality to our Batch system: the
capacity of "Token regeneration".
My first idea was to :
* store the Master Key K/M at REALM in a KeyTab.
* store the TGT somewhere once the user has been granted the TGT (on the
* once the Token is going to expire, I would like to read the K/M from
the KeyTab and use it to decrypt the user TGT stored at the previous step.
* once the user TGT has been decrypted with the K/M I will then be able
to modify expiration time and other fields.
I still have many questions about details:
* the stash file is used to decrypt the DataBase, isn't it ?
* Every DataBase entry is crypted with the Master Key, isn't it ?
* On the KDC side, the TGT is decrypted with the Master Key in the
DataBase (is this the K/M at REALM entry ?)
* when the TGT is in the client cache, the TGT is encrypted with the
user password, isn't it ?
* If I have my K/M in a KeyTab, am I able to decrypt the TGT stored in
the client cache ?
Is this possible ?
Any other is accepted...
Thanks in advance for your help :)
Remi Ferrand | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
Fax. +33(0)18.104.22.168.70 | Centre de Calcul - http://cc.in2p3.fr/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4055 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090929/78202e3f/attachment.bin
More information about the Kerberos