[8342] in Info-AFS_Redistribution
Re: Question about using Kerberos with AFS
daemon@ATHENA.MIT.EDU (Brandon S. Allbery KF8NH)
Thu Dec 28 15:22:20 2000
Date: Thu, 28 Dec 2000 14:58:55 -0500
From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
To: Michael Pelletier <mike@alteon.com>, info-afs@transarc.com
Message-ID: <12320000.978033535@pyanfar>
In-Reply-To: <Pine.SOL.3.95.1001228101556.8895i-100000@arrakis.alteon.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On Thursday, December 28, 2000 10:39:40 AM -0800, Michael Pelletier
<mike@alteon.com> wrote:
+-----
| I'd like to get to the point where I'd be able to deploy kerberized and
| encrypted telnet, rlogin, IMAP, ssh, VPN access, and so on, but I'm not
| clear on whether AFS's kaserver is sufficient for this. I get the
| impression that it's not sufficient, due to the fact that the
| ticket-granting-ticket is discarded after the AFS token is acquired... Is
| this correct?
+--->8
No, because that's not a function of the kaserver. It's a function of the
klog program. Use klog.krb, MIT Kerberos with kinit+aklog/cklog, or KTH
Kerberos or Heimdal with kinit+afslog or kauth.
Where the kaserver falls short is that generating srvtabs for e.g.
Kerberized telnet is painful and can be impossible with some versions of
AFS. In this case you may want to use a real KDC in place of kaserver.
| Would I be better off with Kerberos 4 or 5 in the long run?
+--->8
In the long run, Kerberos 5.
| Also, does the Kerberos realm have to match the DNS domain name of the
| machines in the realm?
+--->8
No, but it simplifies things when accessing machines from outside the
domain.
--
brandon s. allbery [os/2][linux][solaris][japh] allbery@kf8nh.apk.net
system administrator [WAY too many hats] allbery@ece.cmu.edu
electrical and computer engineering KF8NH
carnegie mellon university ["better check the oblivious first" -ke6sls]