Hack Kerberos / AFS

Remi Ferrand remi.ferrand at cc.in2p3.fr
Tue Sep 29 04:31:16 EDT 2009


I need help to create a little hack on Kerberos / AFS.

My final aim is to forge Tokens (Ticket Granting Server for AFS (Andrew 
File System)) without any passwords from the users (directly with the 
Master Key).

Our production system works as follow :
- the client SSH onto a machine and is granted an AFS Token obtained 
with aklog.
At this very step, the user have the Ticket Granting Ticket 
krbtgt/REALM at REALM ticket and the afs/cell at REALM Ticket Granting 
Service. It also have an AFS Token obtained with aklog.
- the user will then submit a job to our Batch system.
- the job will be processed X hours/minutes later and could last a long 

Our problem is that some jobs could last more than the AFS token lifetime.
Once this lifetime is expired, jobs could not access AFS filesystems 
anymore and will abort.

My idea is to implement a new functionnality to our Batch system: the 
capacity of "Token regeneration".
My first idea was to :
* store the Master Key K/M at REALM in a KeyTab.
* store the TGT somewhere once the user has been granted the TGT (on the 
client side).
* once the Token is going to expire, I would like to read the K/M from 
the KeyTab and use it to decrypt the user TGT stored at the previous step.
* once the user TGT has been decrypted with the K/M I will then be able 
to modify expiration time and other fields.

I still have many questions about details:
* the stash file is used to decrypt the DataBase, isn't it ?
* Every DataBase entry is crypted with the Master Key, isn't it ?
* On the KDC side, the TGT is decrypted with the Master Key in the 
DataBase (is this the K/M at REALM entry ?)
* when the TGT is in the client cache, the TGT is encrypted with the 
user password, isn't it ?
* If I have my K/M in a KeyTab, am I able to decrypt the TGT stored in 
the client cache ?

Is this possible ?
Any other is accepted...

Thanks in advance for your help :)


Remi Ferrand             | Institut National de Physique Nucleaire
Tel. +33(0) |     et de Physique des Particules
Fax. +33(0) | Centre de Calcul - http://cc.in2p3.fr/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4055 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20090929/78202e3f/attachment.bin

More information about the krbdev mailing list