> Has anyone successfully passed inter-cell token? If I logon to
>machine foo and do the following:
>
> rsh foo tokens
>
> then the inner-cell token is passes to the remote session. If I do
>'unlog' from foo and then 'klog -cell rl.ac.uk' and get a token from
>another cell, I type
>
> rsh foo tokens
>
> and this time the other-cell token is not passed over. Maybe I should
>only try to pass the token of the cell which remote machine belongs to.
>I did try that, no luck either. Any suggestion will be greatly appreciated!
Unfortunately, this won't work, but you'd have to read the source to figure
out why.
Basically, the problem is that rsh/ta-rauth/inetd.afs _only_ pass tokens
for your local cell. If you look at the code, you'll see that it calls
ktc_GetToken() with only the local cell name, instead of looking at all the
tokens that the user has.
The cell name isn't even passed over the connection -- the other end just
assumes that it's in the local cell, and does a ktc_SetToken() with that
token for the remote side's cell. If you're all in the same cell, this
works great. Otherwise, this fails miserably (I do know one person who
claims that he does this all the time, but I think this because he's using
cross-cell authentication).
However, I assume Transarc made rsh work this way specifically to prevent
people from trying to do what you're doing :-) Using rsh to pass your AFS
token sends the token in the clear over the network. At our site our
admins tolerate this on our local net, but I'd never want to send my token
in the clear over the Internet. Anyone who is packet sniffing could grab
it and do all sorts of evil things to my files.
The _real_ solution is to use Kerberos 5 and forwardable tickets, which might
even be doable if the long-awaited beta 6 actually works :-)
--Ken
