Greetings. I am about to make the srvtab capability available to our
users (because it's unacceptable to have cleartext passwords on any
disk for running cron jobs, etc; this is the only higher degree of
security possible) and the functionality is a bit lacking; I am
wondering whether there exists a version that picks up the AFS ID from
PTS.
To elaborate:
Here's the output from "tokens" after I've klog-ged:
User's (AFS ID 1001) tokens for [EMAIL PROTECTED] [Expires Feb 9 21:23]
And here's the output after I've run gettoken on a srvtab:
Tokens for [EMAIL PROTECTED] [Expires Feb 6 03:32]
Two things are different in the second case: the AFS ID is absent, and
the token expiration is 12.5 hours away instead of the 100 hours that
my particular ID is entitled to. (The first I can understand; there's
no requirement for a principal in the kerberos server to be in the PTS
database.)
Before we make gettoken available, we need a way for a program to tell
what token its process has. We've been doing this by parsing the
output of tokens; this also enables us to tell whether the process has
an admin token (because we assign admin privs to a special UID range).
So either I need a gettoken modified to get an AFS ID at the same time
as it gets a token, or I need another way to find out what principal
the current process has been authenticated as. Either way, I would
also like a way for the token obtained via the srvtab to have the
lifetime that the authentication server has associated with it.
Any ideas?
Peter J. Scott, Member of Technical Staff | [EMAIL PROTECTED]
Jet Propulsion Laboratory, NASA/Caltech | EIS Project
