[3609] in Kerberos
Re: Using Aklog with Kerberos 5.4.1 to get an AFS Token
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Mon Jul 25 14:42:25 1994
Date: Mon, 25 Jul 94 14:19:33 -0400
From: Theodore Ts'o <tytso@MIT.EDU>
To: DEEngert@anl.gov
Cc: AUTH-PILOT@ES.NET, KERBEROS@MIT.EDU
In-Reply-To: <9407251354.AA05974@MIT.EDU> (DEEngert@anl.gov)
Date: Mon, 25 Jul 94 08:54:01 CDT
From: "Doug Engert" <DEEngert@anl.gov>
Cc: <AUTH-PILOT@ES.NET>, <KERBEROS@MIT.EDU>
In response to my note, Ted responed:
"... but it completely goes against the purpose of the krb425 library ---
again, the libkrb425 library allows a program which uses the krb4 API
to access the krb5 protocol."
But the changes I made do "use the krb4 API, to access the
krb5 protocol." In particular, the goal was to allow aklog which
was written for krb4, to use the krb5 protocol including the
krb5 credential cache to get a krb5 credential which
could then be converted to a AFS token, without using an krb4 files
such as the cache, or the krb.conf, with a minimum of krb4 code.
But that's not what you were doing. You were using the krb5 protocol
including the krb5 credential cache to get a ***krb4*** credential which
you then stuffed into an AFS token. Your changes changed what was
stuffed into the CREDENTIALS from a V5 ticket to a V4 ticket. Yes, the
fact that the krb_get_cred() in the libkrb425 sticks a V5 ticket into
what had been previously a V4 structure is confusing, but that was the
entire point behind the libkrb425 library.
Your change will break other routines inside libkrb425 which call
krb_get_cred(), since they expect a V5 ticket be stored in the returned
CREDENTIALS structure, instead of a V4 ticket.
If the krb425 get_cred was designed to return a partial CREDENTIALS
or to have the CREDENTIALS ignored, then the code I add could be
referred to as abusing the krb425 library.
It returns a CREDENTIALS structure where a V5 ticket is stored in the
field instead of a V4 ticket. Yes, this is very confusing; and of
dubious value. But the solution to this is to consider ditching the V5
library altogether.
Note that the krb425d is also somewhat of dubious value, and we probably
won't be running it at MIT. It's much simpler to simply modify kinit to
get both V4 and V5 tickets, and then you don't need to modify aklog at
all, since it simply uses the V4 ticket cache. (Of course, you also
modify kdstroy to destroy both ticket caches, etc.)
- Ted
