There is no way to create a openafs server keytab from a password eh?
Shouldn't be hard to write, instead of reading a key from input, read a
password and apply string_to_key to it. You should be able to steal the
code you need from klog or whatever and stick in bos.
authority over the afs/cell. If they create the keytab and send it to us. They could connect
Oh, well, if what you have is actually a krb5 keytab, heimdal has a utility (ktutil, in fact) which will read a keytab and write an AFS KeyFile)
'asetkey' does this...
However, also note that if they administer the kerberos realm they can print themselves a ticket as any user. Not understanding your threat model it's hard to give you advice.
From my previous email:
"""
One thing here is that the kerberos realm administrators should not have administrative
authority over the afs/cell. If they create the keytab and send it to us. They could connect
to any of our afs services with administrative privileges. In our scenario we only trust the other kerberos
realm as an authentication source for users, not an administrative authority for anything else.
"""
In our environment we have different roles/organizations which steward different resources. In this case
a central organization handles all campus accounts for students/faculty/staff. They are not stewards of the resources
(like AFS) within a department. I am trying to make sure that in trusting them for authentication for users (via kerberos) I
am not providing them with a method to log in a root onto my AFS cells. This would be possible if they had a copy of the afs/department.university.edu
password or keytab.
Cross realm trust seems to address this issue, but I'll have to hack ptserver to allow me to specify unix UID's. A better method would be to use nss_ldap or something
for afs UIDs and groups. Has anyone looked at that before? Are there any large barriers to implementing it?
-chris
_______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
