Hack Kerberos / AFS

Simon Wilkinson simon at sxw.org.uk
Tue Sep 29 05:00:00 EDT 2009

On 29 Sep 2009, at 10:31, Remi Ferrand wrote:

> Hye,
> I need help to create a little hack on Kerberos / AFS.

You'd be much better off asking this question on the openafs-devel  
list, to which I've directed follows. This is definitely off-topic for  
krb-devel, and is actually not particularly Kerberos dependent at all.

> My final aim is to forge Tokens (Ticket Granting Server for AFS  
> (Andrew File System)) without any passwords from the users (directly  
> with the Master Key).

You don't need to use the Kerberos master key for this - you can forge  
AFS tokens using just the afs/<cell>@<REALM> key that's stored in your  
servers keyfiles. The daemon that lives behind gssklog already forges  
AFS tokens - that's probably a good location to look for code.

Hope that helps,


> Our production system works as follow :
> - the client SSH onto a machine and is granted an AFS Token obtained  
> with aklog.
> At this very step, the user have the Ticket Granting Ticket krbtgt/ 
> REALM at REALM ticket and the afs/cell at REALM Ticket Granting Service.  
> It also have an AFS Token obtained with aklog.
> - the user will then submit a job to our Batch system.
> - the job will be processed X hours/minutes later and could last a  
> long time.
> Our problem is that some jobs could last more than the AFS token  
> lifetime.
> Once this lifetime is expired, jobs could not access AFS filesystems  
> anymore and will abort.
> My idea is to implement a new functionnality to our Batch system:  
> the capacity of "Token regeneration".
> My first idea was to :
> * store the Master Key K/M at REALM in a KeyTab.
> * store the TGT somewhere once the user has been granted the TGT (on  
> the client side).
> * once the Token is going to expire, I would like to read the K/M  
> from the KeyTab and use it to decrypt the user TGT stored at the  
> previous step.
> * once the user TGT has been decrypted with the K/M I will then be  
> able to modify expiration time and other fields.
> I still have many questions about details:
> * the stash file is used to decrypt the DataBase, isn't it ?
> * Every DataBase entry is crypted with the Master Key, isn't it ?
> * On the KDC side, the TGT is decrypted with the Master Key in the  
> DataBase (is this the K/M at REALM entry ?)
> * when the TGT is in the client cache, the TGT is encrypted with the  
> user password, isn't it ?
> * If I have my K/M in a KeyTab, am I able to decrypt the TGT stored  
> in the client cache ?
> Is this possible ?
> Any other is accepted...
> Thanks in advance for your help :)
> -- 
> Remi Ferrand             | Institut National de Physique Nucleaire
> Tel. +33(0) |     et de Physique des Particules
> Fax. +33(0) | Centre de Calcul - http://cc.in2p3.fr/
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the krbdev mailing list