(Paul Blackburn) wrote:
>
> Wey Lai Yiu Fai,
>
> Ney ho m'ho ma? ;-)
>
> How do you re-authenticate? Do you use the example from:
> /afs/transarc.com/public/afs-contrib/tools/reauth/
Yes, I use similar method to maintain the tokens lifetime. But what my
problem is that I must arrange the tokens associate with UID and not PAG
due to some security concern. (Actually I'm running Zmailer daemon on
it,
the admin token required to read user's home directory .forward, the
local
delivery agent will first change to user's uid and then either deliver
to
the system mbox or process his .forward file. If I create PAG before
starting ZMailer, the delivery agent will also inherit the token and
then
execute any programs that defined in his .forward.)
>
> How do you arrange for your daemon to share AFS identity with
> your re-authenticating daemon? Is this by sharing the same PAG
> (preferred) or unix UID? If by UID, has another process with
> the same UID unlogged?
>
> IMHO, having a long ticket lifetime for an admin account is not good
> unless you are always careful to "unlog" when you no longer need the ticket.
> (Data structures used to store ticket details can rapidly accumulate
> especially when created via daemon klogs.)
Is one day lifetime an acceptable value? Is what you mean I need to
unlog
before I reauth in order to keep kernel data structures small?
Actually,
our server will reboot daily and acquire the token at startup script. I
think that it has the same effect but it seems it has the same problem.
Thanks very much for your help!
>
> You will find AIX examples of re-authenticating daemons for sendmail
> in "auth-sendmail" [1] and for InfoExplorer (on-line documentation for AIX),
> and qdaemon (print spooler) in "afs_install" [2]. These use a variation of
> the afs-contrib re-auth daemon which syslogs its authentication activity
> and share AFS identity via a PAG.
>
> Hope this helps.
> --
> choi g'in!
> paul http://acm.org/~mpb/homepage.html
>
> References:
>
> [1] "auth-sendmail"
> ftp://ftp.transarc.com/pub/afs-contrib/doc/faq/auth-sendmail.tar.Z
>
> [2] "afs_install"
> ftp://ftp.transarc.com/pub/afs-contrib/tools/afs_install/afs_install.tar
>
> Lai Yiu Fai <[EMAIL PROTECTED]> wrote:
> >
> >Hi,
> >
> >I'm running Solaris 2.5 with 3.4a sun4x_55 distribution and require to
> >associate AFS tokens with running daemon. I have programs to klog at
> >root to acquire the token and make 'root' uid with 'admin' token. However,
> >the token will disappear before the tokens should expire. I set the
> >admin's max lifetime to be 720 hours, it seems it will disappear after
> >1 or 2 days, or even several hours. Does anybody come across the problem?
> >How can it overcome? Does it help if I set the max. lifetime to be
> >smaller value and re-authenticate more frequent?
> >
> >As the daemon will fork other process and setuid to user to run user's
> >program, it has security concern if I associate the tokens with PAG
> >instead of uid.
> >
> >Thanks!
> >=======================================================================
> >Lai Yiu Fai | Tel.: (852) 2358-6202
> >Centre of Computing Services | Fax.: (852) 2358-0967
> > & Telecommunications | E-mail: [EMAIL PROTECTED]
> > |
> >The Hong Kong University of | Clear Water Bay,
> >Science & Technology | Kowloon, Hong Kong.
