On 29 Sep 2009, at 10:31, Remi Ferrand wrote:
Hye,
I need help to create a little hack on Kerberos / AFS.
You'd be much better off asking this question on the openafs-devel
list, to which I've directed follows. This is definitely off-topic for
krb-devel, and is actually not particularly Kerberos dependent at all.
My final aim is to forge Tokens (Ticket Granting Server for AFS
(Andrew File System)) without any passwords from the users (directly
with the Master Key).
You don't need to use the Kerberos master key for this - you can forge
AFS tokens using just the afs/<cell>@<REALM> key that's stored in your
servers keyfiles. The daemon that lives behind gssklog already forges
AFS tokens - that's probably a good location to look for code.
Hope that helps,
Simon.
Our production system works as follow :
- the client SSH onto a machine and is granted an AFS Token obtained
with aklog.
At this very step, the user have the Ticket Granting Ticket krbtgt/
re...@realm ticket and the afs/c...@realm Ticket Granting Service.
It also have an AFS Token obtained with aklog.
- the user will then submit a job to our Batch system.
- the job will be processed X hours/minutes later and could last a
long time.
Our problem is that some jobs could last more than the AFS token
lifetime.
Once this lifetime is expired, jobs could not access AFS filesystems
anymore and will abort.
My idea is to implement a new functionnality to our Batch system:
the capacity of "Token regeneration".
My first idea was to :
* store the Master Key K/m...@realm in a KeyTab.
* store the TGT somewhere once the user has been granted the TGT (on
the client side).
* once the Token is going to expire, I would like to read the K/M
from the KeyTab and use it to decrypt the user TGT stored at the
previous step.
* once the user TGT has been decrypted with the K/M I will then be
able to modify expiration time and other fields.
I still have many questions about details:
* the stash file is used to decrypt the DataBase, isn't it ?
* Every DataBase entry is crypted with the Master Key, isn't it ?
* On the KDC side, the TGT is decrypted with the Master Key in the
DataBase (is this the K/m...@realm entry ?)
* when the TGT is in the client cache, the TGT is encrypted with the
user password, isn't it ?
* If I have my K/M in a KeyTab, am I able to decrypt the TGT stored
in the client cache ?
Is this possible ?
Any other is accepted...
Thanks in advance for your help :)
--
Remi Ferrand | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
