long running jobs in afs

Tue, 15 Jun 93 15:12:35 -0400 

I have recieved MANY messages expressing interest in the
lat system. I have made the paper available via anonymous
ftp:

citi.umich.edu

in the directory
/public/techreports/PS.Z/citi-tr-93-1.ps.Z

Here is some information about lat which is not in the
paper.

lat is a tool that was written and built using Kerberos
version 4. It requires installing a service on the secure
machine running the master kerberos database. As such, I
imagine anyone using it will want to examine it closely and
build it themselves before installing it. It has been made
compatible with afs by using the aklog program to stuff
kerberos tickets into the kernel as afs tokens.

I have done some testing of lat in kerberos, and it seems
to work fine, but it has not been tested yet in afs, nor
have I finished implementing the call to aklog in lat.
However, it is just a simple matter of putting it all
together now. I believe that the lat daemon will have to
run on the machine which runs the authentication server
to have access to the user keys to decrypt the kerberos
tickets.

Here is a  summary of some of the requirements and
restrictions of lat (most of which appear in the paper).

- you must use Kerberos version 4 to build it
- the lat server must run on the authentication server
  machine
- the job which has been scheduled will run only
  on the machine from which it has been scheduled
- to schedule a long running job to run immediately,
  you schedule it as a lat job with the current time.
- there is a command line option 'renew' which if present
  means that tickets (tokens) will be renewed, otherwise
  only the initial one is issued. 
- there are some security tradeoffs which are discussed
  in the paper. I would recommend becoming familiar with them
  before deciding to use lat.

Status:
-  If you are using Kerberos V4, lat is ready to go.
-  If you are using Kerberos V5, you must have some front
   end to V4 because of many of the Kerberos calls not
   being entirely compatible.
-  If you are using AFS, then you must build V4, and then I
   have to finish incorporating the aklog call into lat. Something
   I should have done by the end of the week.
-  The system has been tested in V4, but could probably use some
   more rigerous testing.
-  man pages are also available
-  I am working on some formal analysis techniques to better
   understand the vulnerabilities of protocols such as lat.

Code Availability:
- real soon, stay tuned.

Reply via email to