[7586] in Kerberos
Re: Question about the security of forwarded TGTs
daemon@ATHENA.MIT.EDU (Doug Engert)
Wed Jul 3 10:24:52 1996
Date: Wed, 3 Jul 1996 09:08:15 -0500
From: Doug Engert <DEEngert@anl.gov>
To: kenh@cmf.nrl.navy.mil (Ken Hornstein)
Cc: kerberos@MIT.EDU
In-Reply-To: <4rc9br$3do@nexus.cmf.nrl.navy.mil>
Ken Hornstein writes:
>
> I _did_ consider that, but the main tickets I'm interested in getting are
> AFS tickets, and since that's v4, I didn't quite know if I could use
> proxyable tickets with that. This is for a batch job system, and it's
> possible that during the batch job the user could want tickets for
> services other than what he had originally.
Ken, I see that you are interested in AFS tickets. We have been using
a modified version of the aklog program and the krb524 lib and daemon
to do this for some time. I now have this working with Kerberos 5 beta
6 as well.
Aklog was modified to use the V5 protocol to request a ticket for
afsx/<afscellname>@<k5realmname>. It then sends this to the krb424d
running on the security server, and it converts it to a V4 ticket for
afs@<afscellname> which is then returned to aklog. This is then
stuffed into the kernel as a AFS token.
This then allows aklog (now called ak5log to avoid conflicts with
the aklog which may be useful in some situations) to use a forwarded
ticket to get the AFS token.
We also have some additional modifications to krlogind to call two
modules, k5dcelogin and k5afslogin before the login.krb5 or the
vendors login. These use the forwarded ticket to get a DCE context, and
AFS tokens automaticly.
Older versions of these can be found at
ftp://achilles.ctd.anl.gov/pub/kerberos.v5 see the README file. I am
working on putting the final touches on the K5.6 versions and will
have these inplace next week.
Hope this helps.
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
PGP Key fingerprint = 20 2B 0C 78 43 8A 9C A6 29 F7 A3 6D 5E 30 A6 7F
