>I didn't say that the kas program should use the AFS service ticket, just
>look in it to see for which password the kas program shall ask.
Ah, okay .... but that's easy enough to change via the command line.
>Okey, I understand that some commands needs to know if the user is root or
>not. But when kas asks me for my password it is more interesting to ask for
>the password for the "owner" of the AFS service ticket.
You know ... after looking at the ticket information, it doesn't seem
like that information is really stored in the client. The "client name"
field ends up being something like "AFS ID 4081" (and that's not even
mandatory -- you can put anything there).
>Transarc could rewrite the kas program. And my real question is if that
>would be a sequrity problem or not.
Unfortunately, the real changes would have to be made at the kaserver.
>What I know about, there is no Krb V5 outside US with full encryption. And
Actually, that's not true. Check out:
http://www.pdc.kth.se/heimdal/
It's still alpha-quality, but it's being actively developed. And they
are interested in having AFS compatibility as well.
>for Krb V4 I think that the KA server have some extra features, like expire
>date for the accounts. And of cause today we are running KA server, we
>don't want to replace it if it isn't necessary.
I am pretty sure that the V4 KDC has the ability to set an account
expiration time (in fact, I think one of the issues with V4 was that the
default account expiration time is sometime in 1999). But I understand
the desire not to change :-)
>Or could it be possible that "kas examine" used the AFS service ticket
>instead of the Authuser.Admin ticket? I think that all the other kas
>commands should use the Authuser.Admin ticket. Just change the
>impementation of "kas examine".
>
>Would that kind of change open up a big sequrity hole or not?
As far as I can see it ... no. It would require changing the kaserver
around, and from my limited understand of the way Kerberos and RX interact,
it might be difficult (it might be simpler to create a special "examine"
server, for example).
--Ken
