Hello everybody!
At LRZ in Munich we have a large fileserver which is to be used as a big
local storage. There is only one possibility to get access to this
service, an ftp daemon. So every time you want to get/store a file, you
have to type your password.
Now we thought it might simplify the access considerably if access control
is done by AFS authentication, i.e. if the user you authenticate has a
valid AFS token for file service he is allowed to use the ftp daemon.
That's our idea how it should work:
AFS clients FTP Daemon
on the mass storage server
get token from AuthServer
-- send token via socket -> verify token and user
and let him in or
deny access.
If it is impossible to port the necessary routines to the file serer
architecture, another way might be:
get token, verify -- send token via socket --> --> |
take token |
<- send it back to a verify daemon - <-- |
verify token and
- send back OK or BAD -> let the user in
or deny access.
Obviously, this is not 100% secure but we think it fits our requirements
as it is a reasonable way to simplify the access.
It's very simple to get that token (use ktc_ListTokens and ktc_GetTokens
like "tokens" do) at the server site, but I can't find any other way to
verify the token without using ktc_SetToken. I don't like this way,
because if something's wrong with the ticket, the net or ..., the user may lose
his token and won't know why. From the AFS Manual I gather that there is a
way to verify the ticket without contacting the AuthServer.
But I couldn't find the corresponding routines in the libraries or the
source code.
Does anybody know a way to implement the feature described above?
Thomas Brandl.
--
Thomas Brandl [EMAIL PROTECTED] <Inter--Sub> [EMAIL PROTECTED]
