Remi: Can you please explain what it is that you are attempting to accomplish?
An AFS token can created in a number of methods. Not all of which are Kerberos v5. tkt_DecodeTicket5() can only be used when the kvno of the AFS token is RXKAD_TKT_TYPE_KERBEROS_V5 or RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY. To decrypt the ticket you need to have possession of the afs service principal key that matches the kvno in the Kerberos v5 ticket. >From your previous e-mail to [email protected] I know that you are trying to print your own AFS tokens. I do not understand why you aren't simply using "aklog -keytab <keytab> -principal <principal> -cell <cellname>" which will produce a new token for the specified principal in the specified cell using the key in the provided keytab. Why do you need to decrypt the existing AFS token? In order to decrypt the old token you would need to have the key for the afs service principal, if you have that then you can simply print a token whenever you want for whomever you want. On 9/29 you said the reason for this project is to permit automated token renewal for users that remotely login via SSH. I would think long and hard as to the risks associated with placing copies of your afs service principal keys on such machines. If that key becomes compromised, the attacker can do anything they want to the data in your cell or pretend to be anyone to your cell. Are the benefits worth the risk? Jeffrey Altman Remi Ferrand wrote: > Hi, > > I'm trying to find a way to decrypt efficiently an AFS Token created > with "kinit + aklog" in order to access the encrypted data. > > Every attempt I made to use the tkt_DecodeTicket5 function was > unsuccessful (this function is supposed to exist for this purpose, isn't > it ?) > > My last (and ultimate) idea is to map the AFS Token to a krb5_ticket and > to decrypt it with the krb5_decrypt_tkt_part function. > That's not an easy trick and I would like to know if someone has already > written something about this .... > > My questions are : > * Is it possible to map an AFS Token to a krb5_ticket and decrypt it > using krb5_decrypt_tkt_part function ? > The encrypted part of AFS Tokens created with "kinit+aklog" is based > on the krb5_encrypt_tkt_part function so I think that's possible. > > * Does anyone have already tried something like this ? > Anyone could help me doing this ? > > For sure, any other idea to access the encrypted content of the AFS > Tokens created with "kinit + aklog" are accepted. > > Thanks in advance > > Remi >
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
