[602] in Kerberos-V5-bugs
Using Aklog with Kerberos 5.4.1 to get an AFS Token
daemon@ATHENA.MIT.EDU (Doug Engert)
Tue Jul 26 11:00:29 1994
Date: Tue, 26 Jul 94 09:20:09 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <TYTSO@MIT.EDU>
Cc: <AUTH-PILOT@ES.NET>, <KERBEROS@MIT.EDU>, <KRB5-BUGS@MIT.EDU>
Ted,
I will back off of the request to change krb425/get_cred.c since
as you point out you need the krb5 ticket returned in the
CREDENTIALS structure. I hope today to produce the mods to aklog
which will do the same thing. It looks like about 20 lines of
code.
In your note to Jerry Johnson, you listed three option for
getting the AFS token:
o Modify kinit to get a V4 and V5 ticket from a V5 KDC with the
V4 compatibility mode turned on.
o Run the krb425d and use the krb524init then use the unmodified
aklog.
o Modify aklog to call krb425d to convert a V5 ticket into a V4
ticket and then have aklog use that V4 ticket.
I favor that last option for a number of reasons:
o I would like to use forwarded credentials to get an AFS token.
This would allow a user to telnet/rlogin to another machine,
and have the telnetd/rlogind get an AFS token automaticly.
This would allow the user to have immediate access to AFS,
such as for his home directory. In this case kinit is not
used.
o I don't want to have a krb4 cache if I don't need one. Its one
more thing to have to cleanup. krb524init will create one.
o In our case, the krb4 realm is using the AFS kaserver as the
KDC, and will continue to do so for some time. There are no
plans at this time to convert the kaserver entries to a k5
server.
As Jerry said in another note, I too would like to thank you for
your assistance and your patience in helping members of the ESnet
authentication pilot project. (I hope you have a little more
patience, since I have another mod to walk_rtree.c which will
allow shortcuts in cross realm authentication and thus eliminate
the need for a .gov realm or .edu realm. I will be sending this
suggestion out shortly.)
Thanks,
Doug
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
