[888] in Release_7.7_team
Re: why we should document forwardable tickets
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Mar 6 16:08:22 1997
To: Craig Fields <cfields@MIT.EDU>
Cc: ghudson@MIT.EDU, mbarker@MIT.EDU, release-team@MIT.EDU
In-Reply-To: Your message of "Thu, 06 Mar 1997 20:49:26 GMT."
<199703062049.UAA02878@mad-scientist.MIT.EDU>
Date: Thu, 06 Mar 1997 16:08:16 EST
From: Greg Hudson <ghudson@MIT.EDU>
> (Not exactly related, but: Can we fix the aklog protocol?)
aklog doesn't have a protocol. It just takes a K4 service ticket of
the requisite type and stuffs it into the kernel. (It does contact
the PTS servers, but only for error-checking.) We would have to
modify the AFS servers and possibly the AFS protocol. Transarc would
be unlikely to take our changes because their customers have come to
rely on AFS tokens being forwardable.
> Nevertheless, AFS is not the only service in town. The threat of
> exploitation against other services is still much greater with the
> forwardable K5 tickets.
If I can modify your dotfiles, I can be you. The return on this kind
of security measure is vanishingly small. (Yeah, I know, we start out
playing with half-measures because our public workstations are
physically accessible, which is why I tend to consider private
workstations as the basis of our security model for sanity reasons.)
