Rick Welch <[EMAIL PROTECTED]> asked about aklog and K5.
As part of a Cross Realm Authentication Project sponsored by the
ESnet of DOE, we developed changes to the MIT "aklog" program to
work with Kerberos V5.
After getting K5 credentials using K5 kinit, It uses the Kerberos
5.4.x protocols to get K5 credential for afs@cell which is then
converted K4 tickets using the krb524d daemon running on the same
machine as the K5 KDC.
You can even use forwarded credentials from foreign realms to get
AFS tokens for your home cell!
As a first cut I used the krb425 conversion routines so I would
not have to change very much code. I (or someone else) needs to
go back and do the conversion right, i.e. use the K5 API rather
then the krb425 conversion aid. I hope to do this soon with
K5.4.3.
To get this to work, requires the AFS cell name to match the K5
realm name, and the K5 KDC have a afs@cell entry which has the
same key and kvno as the afs@cell in the Kaserver. I have a mod
to krb5_edit which can do this. It is also a kludge and needs
work.
If you are interested in any of these mods, you can look at
ftp:achilles.ctd.anl.gov:/pub/kerberos.v5 for a number of diff
files. One is aklog.cdiff.940811 which has the aklog diffs.
If you find these interesting, or have any questions, drop me a
note.
If you would like a copy of our report which should be out soon,
also drop me a note, and I will get you on the list.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: [EMAIL PROTECTED]
