For question 1)
I do the following for "tcsh" and "csh";
alias kas '/usr/afsws/etc/kas \!* -admin rsw.admin'
This way it does not matter at all who AFS thinks I am when I run the kas
command.
For question 2)
Use "ADM" from CMU or something similar if you want to change the default
security polices for your site. There is also a kerberos perl package that
can be set up similar to "ADM". We use "ADM" her with good sucess.
However since you are maintaining your own login and xdm code (as we do) you
could also look at calling the AFS routine ka_UserAuthenticateGeneral()
which has password expiration knowledge instead of the MIT calls. The login
code will tend to look alot cleaner to boot.
An additional comment regarding the AFS kaserver VS the MIT Kerberos server;
There are a number of reasons why either can be more useful to a specific
site. We switched from the MIT kerberos server to the AFS kaserver several
years ago because we found it more reliable for our larger site. The AFS
kaserver uses "ubik" to keep the replicated security servers in sinc. This
is much more robust then what the MIT kerberos server does. We nolonger are
inundated with complaints about the inability to change passwords every time
we replicate the read-write database to the slaves or when the *one*
read-write database gets seperated from other parts of the net. Also you do
not have to dump the entire database and edit out old accounts and then
reload that database when doing trivial account cleanup activities. Ubik
keeps all the kaservers in sinc and when the "master" server is disconnected
from the rest of the network, voting for a "new master" happens with out
intervention be humans. Though it is not perfect, it has greatly improved
the overall reliability of our site. As you know it does a good job of
handling the MIT kerberos calls, and you can even have the added benefit of
forwarded tickets and tokens which also keeps users happier with less
password retyping.
Randall
On Wed, 7 Jan 1998, Magnus Sandberg wrote:
: Hi,
:
: I have two questions about the /usr/afsws/etc/kas command.
:
: I don't know if the Kerberos server is more popular than the KA server. My
: opinion is that the kas command (and other like uss) don't function as good
: as all the other AFS commands.
:
: First off all, why doesn't kas look at the AFS token in the current shell?
: The search order for password is;
:
: 1: -admin switch
: 2: Unix UID
:
: I think it shoud be;
:
: 1: -admin switch
: 2: AFS token in the shell
: 3: Unix UID
:
: Today I have to type commands like this;
:
: $ /usr/afsws/etc/kas examine <user> -admin mem.admin
:
: otherwise kas ask for the password for mem (my UID) even if the shell has a
: token that belongs to mem.admin
I do the following for "tcsh" and "csh";
alias kas '/usr/afsws/etc/kas \!* -admin rsw.admin'
This way it does not matter at all who AFS thinks I am when I run the kas
command.
:
:
:
: The second question is about the "kas examine" command. Today everyone
: always have to enter a password when they do an examine. I don't like that.
:
: With the examine command you can't "destroy" anything, just get
: information. I know that information is the most important thing for a
: cracker.
:
: My idea is that a normal user should get info about the own entry without
: any password request. And if the shell have a AFS token that belongs to an
: entry with the ADMIN flag set then the "kas examine" should get any
: information without any password request.
:
: You will ask me why. In our cell we don't use the Transarc AFS login
: program, we are using a special version of XDM login and Athena Kerberos
: telnet. So today the users don't get any warning messages before the
: password expires. We have an idea of creating a shell script that do a "kas
: examine <loginuser>" at logintime that views a warning message. But today
: the users have to enter their own passwords to get that type of scripts to
: work okey. And the users don't like to type their passwords a second time
: they login.
:
: The second thing is that we have some administative scripts that needs to
: look in the KAS database. If I have a ADMIN token when I run this type of
: script it would be much easier, today I have to enter my password each time
: the script do an "kas examine".
:
: Would this type of change in "kas examine" be a security question or just a
: change of the bahaviour of the command?
:
: _\\|//_
: (-0-0-)
: /------------------------------ooO-(_)-Ooo-----------------------------\
: | Magnus Sandberg Email: [EMAIL PROTECTED] http://www.it.kth.se/~mem |
: | Systems admin, Royal Institute of Technology/Dep. of Teleinformatics |
: | Phone: +46-8-752 14 46 FAX: +46-70-711 53 03 GSM: +46-70-716 62 06 |
: \----------------------------------------------------------------------/
: || ||
: ooO Ooo
:
:
:
