[6781] in Kerberos
Re: Re[2]: propogating files from one client to another - how??
daemon@ATHENA.MIT.EDU (Sam Hartman)
Tue Feb 27 19:13:07 1996
To: Brian Murrell <murrell@bctel.net>
Cc: kerberos@MIT.EDU
From: hartmans@MIT.EDU (Sam Hartman)
Date: 27 Feb 1996 19:03:41 -0500
In-Reply-To: Brian Murrell's message of Tue, 27 Feb 1996 14:58:58 -0800 (PST)
>>>>> "Brian" == Brian Murrell <murrell@bctel.net> writes:
Brian> from the quill of hartmans@mit.edu (Sam Hartman) on scroll
>> There is an accidentally undocumented option to kinit (-k) that
>> gets tickets from a keytab. For example, say I want to get
>> tickets in a script running on foo.mit.edu I might write
>>
>> kinit -l 0:30 -k host/foo.mit.edu # get 30 min tickets tar -cf
>> - /files |rsh bar.mit.edu -x tar -xf -
Brian> Yikos!! This does seem a bit insecure. But I suppose I
Brian> could put safeguards on the keytab file such that if
Brian> somebody can get it, they could just as easily capture the
Brian> KDC's database (these will be on the same machine
Brian> afterall).
Ah, but this keytab (/etc/v5srvtab) is the keytab that klogind
and krshd use to know the machine's host ticket. If I know the host
key for a machine running Kerberos clients, I cal already break in as
root. AKA keep your keytab as secure as your machine's root password.
>> This would get tickets then use the tickets to establish an
>> encrypted session to another computer for the untaring. (it
>> assumes that foo.mit.edu has a valid keytab).
Brian> how does one build the keytab used in the example above??
Brian> What keys would be in it?? I suppose it would have to a
Brian> root ticket, if the access needed on the remote is root.
Brian> Man, that scares me.
It depends on how much of kadmind you have working. Since Beta 5 doesn't really have a working kadmind I'll assume you don't have kadmind working at all, and will be using kdb5_edit.
Use the ark command to add a host/kdcname.domainname key to the database.
Then use the xst command like:
xst kdcname.domainname host
Copy the generated file to /etc/v5srvtab.
Then in the slave's ~root/.k5login, add the following line:
host/kdc-name.domain-name@realm-name
Brian> b.
Brian> -- Brian J. Murrell murrell@bctel.net BCTel Advanced
Brian> Communications brian@ilinx.com Vancouver, B.C.
Brian> brian@wimsey.com 604 454 5279
