Xavier, the "forge" code that Remi tried to get working is capable of decrypting an AFS token both for K4 and K5, however it can only re-encrypt a K4 one, not K5.
When he asked me for advice I suggested to drop that code and rather use Heimdal's kadmin extract to temporarily extract a keytab entry for the user in question and then simply do a "kinit -k" + aklog to build a new token for shipment back to the batch worker. This is also possible with MIT Kerberos, using a mod to ktutil developed by Andrei. Sure enough, all this has to take place on a trusted server using an authenticated and secure channel, no keys are available to the batch worker. For both, once the batch job is running, within the ticket refresh period an occasional "kinit -R" + aklog is sufficient and safer. BTW: for the brave, "impersonating" as a user (which is what your batch system does in the end) is also possible without hacking or C-coding, using a suitably mapped certificate, with Heimdal and even Windows. Probably MIT as well. Just increasingly tricky to keep it hackerproof. Cheers, Rainer Xavier Canehan schrieb: > Our home made batch system used to save and forge kas tickets. No > Kerberos 5, not very secure, easiest. Moreover, it was just navigating > through bit fields to forge a ticket. No AFS primitive implied. > > We are migrating: away from current batch system and to Kerberos 5. > During process, we have to modify our batch system, whilst main > developer retired. > > As Rémi worked on Kerberos 5 migration here, he has been volunteered to > provided code to migrate our batch system. Thus, he is investigating > several options to cope either with kas, fakeka, K5. > He may have not been clear: we are not willing to put a keyfile in > unsecure places. We have to modify our batch master and prepare the > place for the next. > > Thanks to every one who helped, either with directions or code. > Rémi is adapting code from Rainer Toebbicke. If not successful, we will > certainly switch to Heimdal, as suggested by Derrick Brashear. > > -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rainer Toebbicke European Laboratory for Particle Physics(CERN) - Geneva, Switzerland Phone: +41 22 767 8985 Fax: +41 22 767 7155 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
