Hack Kerberos / AFS
Simon Wilkinson
simon at sxw.org.uk
Tue Sep 29 05:00:00 EDT 2009
On 29 Sep 2009, at 10:31, Remi Ferrand wrote:
> Hye,
>
> I need help to create a little hack on Kerberos / AFS.
You'd be much better off asking this question on the openafs-devel
list, to which I've directed follows. This is definitely off-topic for
krb-devel, and is actually not particularly Kerberos dependent at all.
> My final aim is to forge Tokens (Ticket Granting Server for AFS
> (Andrew File System)) without any passwords from the users (directly
> with the Master Key).
You don't need to use the Kerberos master key for this - you can forge
AFS tokens using just the afs/<cell>@<REALM> key that's stored in your
servers keyfiles. The daemon that lives behind gssklog already forges
AFS tokens - that's probably a good location to look for code.
Hope that helps,
Simon.
> Our production system works as follow :
> - the client SSH onto a machine and is granted an AFS Token obtained
> with aklog.
> At this very step, the user have the Ticket Granting Ticket krbtgt/
> REALM at REALM ticket and the afs/cell at REALM Ticket Granting Service.
> It also have an AFS Token obtained with aklog.
> - the user will then submit a job to our Batch system.
> - the job will be processed X hours/minutes later and could last a
> long time.
>
> Our problem is that some jobs could last more than the AFS token
> lifetime.
> Once this lifetime is expired, jobs could not access AFS filesystems
> anymore and will abort.
>
> My idea is to implement a new functionnality to our Batch system:
> the capacity of "Token regeneration".
> My first idea was to :
> * store the Master Key K/M at REALM in a KeyTab.
> * store the TGT somewhere once the user has been granted the TGT (on
> the client side).
> * once the Token is going to expire, I would like to read the K/M
> from the KeyTab and use it to decrypt the user TGT stored at the
> previous step.
> * once the user TGT has been decrypted with the K/M I will then be
> able to modify expiration time and other fields.
>
> I still have many questions about details:
> * the stash file is used to decrypt the DataBase, isn't it ?
> * Every DataBase entry is crypted with the Master Key, isn't it ?
> * On the KDC side, the TGT is decrypted with the Master Key in the
> DataBase (is this the K/M at REALM entry ?)
> * when the TGT is in the client cache, the TGT is encrypted with the
> user password, isn't it ?
> * If I have my K/M in a KeyTab, am I able to decrypt the TGT stored
> in the client cache ?
>
> Is this possible ?
> Any other is accepted...
>
> Thanks in advance for your help :)
>
>
> --
>
> Remi Ferrand | Institut National de Physique Nucleaire
> Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
> Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list