[151] in Info-AFS_Redistribution
Re: interaction with kerberos
daemon@ATHENA.MIT.EDU (Wallace Colyer)
Mon Jun 17 15:52:10 1991
Date: Mon, 17 Jun 91 15:27:19 -0400 (EDT)
From: Wallace Colyer <wally+@andrew.cmu.edu>
To: Info-AFS@transarc.com, Steve Lacey <sjl@doc.imperial.ac.uk>
In-Reply-To: <0cLCAACGeEI68OiG84@doc.ic.ac.uk>
This is a message I sent out this morning to someone else who was asking
the same question:
There are two aproaches to dealing with AFS and kerberos. Which one
you take depends on your histrory and where you see your AFS involvement
going.
The basic problem is that AFS uses a different string-to-key algorythm
than the standard kerberos one. This is historical. When it was
decided at CMU to store the passwords in a one way encrypted format they
used the cell name to xor against the string before generating the key.
This way the keys would be different for every cell regardless if the
strings were the same. MIT did not do this in their implementation.
The two options are to make the AFS kaserver act like a kerberos server
or to make a kerberos server generate afs tickets. We went with the
first method because there are already 15,000 users here with passwords
encrypted using the AFS method.
We modified the AFS ka_UserAuthenticate routine to by default generate
a ticket file and store it on the local disk (we actually put it in
/ticket instead of /tmp, but that doesn't really matter). The kaserver
can then be used as a normal readonly kerberos server since it speaks
normal kerberos udp. As long as the first step of using the AFS string
to key and storing the ticket granting ticket is done things work
normally, though you have to use AFS programs to change passwords.
The second method is to modify the authentication routines to talk to a
normal kerbeos server using the MIT string-to-key and store the afs
ticket in the kernel. The problem here is that other AFS sites will
have problems authenticating to your site.
For both solutions source licenses are really needed. Transarc have
been giving everthing that we have done to implement the first solution.
I beleive, others have given them the work they did with the second.
-Wallace
