On Tue, 4 Jun 1996, Ken Hornstein wrote:
> However, I assume Transarc made rsh work this way specifically to prevent
> people from trying to do what you're doing :-) Using rsh to pass your AFS
> token sends the token in the clear over the network. At our site our
> admins tolerate this on our local net, but I'd never want to send my token
> in the clear over the Internet. Anyone who is packet sniffing could grab
> it and do all sorts of evil things to my files.
>
> The _real_ solution is to use Kerberos 5 and forwardable tickets, which might
> even be doable if the long-awaited beta 6 actually works :-)
If you're interested, I've just completed adding support for traditional
Kerberos authentication, AFS password authentication, AFS token and
Kerberos ticket passing to Tatu Ylonen's SSH (Secure Shell) package (a
drop-in replacement for all the Berkeley r-commands).
Tokens and tickets are passed only after Kerberos V4 authentication
succeeds, and never in the clear. http://www.cs.hut.fi/ssh for more info
on SSH, and write me if you want my diffs to try out.
---
Douglas Song dugsong@{umich.edu,monkey.org}
University of Michigan ITD GPCC Unix Services
www: http://www-personal.umich.edu/~dugsong
keyid: C2263445 fingerprint: BF F5 20 EA DA 2F C4 F4 7D 68 4A 50 E4 35 D1 17
