/usr/afsws/etc/kas

Thu, 8 Jan 1998 01:34:26 +0100 (MET) 

Hi,

I have two questions about the /usr/afsws/etc/kas command.

I don't know if the Kerberos server is more popular than the KA server. My 
opinion is that the kas command (and other like uss) don't function as good 
as all the other AFS commands.

First off all, why doesn't kas look at the AFS token in the current shell?
The search order for password is;

1: -admin switch
2: Unix UID

I think it shoud be;

1: -admin switch
2: AFS token in the shell
3: Unix UID

Today I have to type commands like this;

$ /usr/afsws/etc/kas examine <user> -admin mem.admin

otherwise kas ask for the password for mem (my UID) even if the shell has a 
token that belongs to mem.admin



The second question is about the "kas examine" command. Today everyone 
always have to enter a password when they do an examine. I don't like that.

With the examine command you can't "destroy" anything, just get 
information. I know that information is the most important thing for a 
cracker.

My idea is that a normal user should get info about the own entry without 
any password request. And if the shell have a AFS token that belongs to an 
entry with the ADMIN flag set then the "kas examine" should get any 
information without any password request.

You will ask me why. In our cell we don't use the Transarc AFS login 
program, we are using a special version of XDM login and Athena Kerberos 
telnet. So today the users don't get any warning messages before the 
password expires. We have an idea of creating a shell script that do a "kas 
examine <loginuser>" at logintime that views a warning message. But today 
the users have to enter their own passwords to get that type of scripts to 
work okey. And the users don't like to type their passwords a second time 
they login.

The second thing is that we have some administative scripts that needs to 
look in the KAS database. If I have a ADMIN token when I run this type of 
script it would be much easier, today I have to enter my password each time 
the script do an "kas examine".

Would this type of change in "kas examine" be a security question or just a 
change of the bahaviour of the command?

                                 _\\|//_
                                 (-0-0-)
/------------------------------ooO-(_)-Ooo-----------------------------\
| Magnus Sandberg    Email: [EMAIL PROTECTED]    http://www.it.kth.se/~mem |
| Systems admin, Royal Institute of Technology/Dep. of Teleinformatics |
| Phone: +46-8-752 14 46  FAX: +46-70-711 53 03  GSM: +46-70-716 62 06 |
\----------------------------------------------------------------------/
                                 ||   ||
                                ooO   Ooo

Reply via email to