[8523] in Info-AFS_Redistribution

home help back first fref pref prev next nref lref last post

Re: cron on AFS files]

daemon@ATHENA.MIT.EDU (Ken Hornstein)
Sat Mar 3 00:23:50 2001

Message-Id: <200103030516.f235Gn912658@ginger.cmf.nrl.navy.mil>
To: Peter Scott <Peter.J.Scott@jpl.nasa.gov>
cc: info-afs@transarc.com
In-reply-to: Your message of "Fri, 02 Mar 2001 17:40:33 PST."
             <4.3.2.7.2.20010302173700.00b35c80@mail2a.jpl.nasa.gov> 
Date: Sat, 03 Mar 2001 00:16:47 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>

>But most of our AFS clients don't have an /etc/krb.conf.  That's why our 
>primary authentication server has the alias 'kerberos', because we don't 
>have the ability to dictate the contents of /etc/krb.conf or environment 
>variables on the users' workstations.  Yet klog manages to exercise 
>redundancy in the face of this... how?

You certainly have the ability to dictate the contents of /usr/vice/etc/
CellServDB on your AFS clients, don't you? :-)

FWIW, klog doesn't use the V4 Kerberos network protocol; it uses
RX to talk to one of the kaservers listed in your CellServDB.  I think
there's an API function that does what you want (probably something like
ka_UserAuthenticateGeneral(), but I forget now).

>>The advantage of gettoken is that it uses a srvtab and not a user
>>password.  The srvtab still needs to be stored somewhere on the local
>>machine, and is a security issue, but it's not quite as bad as
>>storing a naked plaintext password.

I don't really agree here; it's only _slightly_ better (I'm talking a
hair better), since the key is a password-equivalant.

--Ken

home help back first fref pref prev next nref lref last post