[8523] in Info-AFS_Redistribution
Re: cron on AFS files]
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Sat Mar 3 00:23:50 2001
Message-Id: <200103030516.f235Gn912658@ginger.cmf.nrl.navy.mil>
To: Peter Scott <Peter.J.Scott@jpl.nasa.gov>
cc: info-afs@transarc.com
In-reply-to: Your message of "Fri, 02 Mar 2001 17:40:33 PST."
<4.3.2.7.2.20010302173700.00b35c80@mail2a.jpl.nasa.gov>
Date: Sat, 03 Mar 2001 00:16:47 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>But most of our AFS clients don't have an /etc/krb.conf. That's why our
>primary authentication server has the alias 'kerberos', because we don't
>have the ability to dictate the contents of /etc/krb.conf or environment
>variables on the users' workstations. Yet klog manages to exercise
>redundancy in the face of this... how?
You certainly have the ability to dictate the contents of /usr/vice/etc/
CellServDB on your AFS clients, don't you? :-)
FWIW, klog doesn't use the V4 Kerberos network protocol; it uses
RX to talk to one of the kaservers listed in your CellServDB. I think
there's an API function that does what you want (probably something like
ka_UserAuthenticateGeneral(), but I forget now).
>>The advantage of gettoken is that it uses a srvtab and not a user
>>password. The srvtab still needs to be stored somewhere on the local
>>machine, and is a security issue, but it's not quite as bad as
>>storing a naked plaintext password.
I don't really agree here; it's only _slightly_ better (I'm talking a
hair better), since the key is a password-equivalant.
--Ken