On Mon, 26 Mar 2007, Marcus Watts wrote: > In this case, spoofed servers. Regular kerberos works because > it's not protecting a shared resource. In this case, there's > a shared resource involved, so there needs to be something extra. > I hope you have your kerberos servers & file servers straight > in your head.
I have that straight I didnt have your proposal straight, because I was trying to twist it so it could with clients detached from the network at midnight which is always a fuzzy time. :) I am also very loosely using terminology which is confusing especially to programmers. =) I was just kind of wondering is if you could use the shared key, to encrypt a file which stores a "master key", that could be used to "verify" credentials locally for the local user, which would probably be encrypted with a combination of the master key and the shared key. IF they have been previously authenicated which they have to do in order to create a "cache" of their actual files they wish to take with them. Their "cache" could be accessed using a combination of the host shared key, and their password which would decrypt their "filesystem" (more like a loopback mounted filesystem.). Upon reconnection to the network they would have to authenicate once using the fake stored creds to verify their creds were actually legit, and once using their real creds to the actual server to get a regular connection, and to sync their "cache" with the fileservers. I was also thinking that you could hack kaserver to store client keys, and transport encryption keys. It could store the client public user key to match it with the host key and an encryption key. (and of course put a TTL on those keys so they can be cleaned up periodically, and for security.) Which does require another server, but kaserver would just need to be modified. (well okay, it probably needs to be completely overhauled, but not for a prototype.) Thus I have offered more confusion. :) -------------------------------------- Sean O'Malley, Information Technologist Michigan State University ------------------------------------- _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
