Fwd: [OpenAFS] Manually Creating Cross Realm Users
Chris McClimans
openafs-info@mcclimans.net
Thu, 7 Aug 2003 06:43:54 -0500
>>> There is no way to create a openafs server keytab from a password eh?
>>
>> Shouldn't be hard to write, instead of reading a key from input, read
>> a
>> password and apply string_to_key to it. You should be able to steal
>> the
>> code you need from klog or whatever and stick in bos.
>>
>>> authority over the afs/cell. If they create the keytab and send it to
>>> us. They could connect
>>
>> Oh, well, if what you have is actually a krb5 keytab, heimdal has a
>> utility (ktutil, in fact) which will read a keytab and write an AFS
>> KeyFile)
>
> 'asetkey' does this...
>
> However, also note that if they administer the kerberos realm they can
> print themselves a ticket as any user. Not understanding your threat
> model it's hard to give you advice.
From my previous email:
"""
One thing here is that the kerberos realm administrators should not
have administrative
authority over the afs/cell. If they create the keytab and send it to
us. They could connect
to any of our afs services with administrative privileges. In our
scenario we only trust the other kerberos
realm as an authentication source for users, not an administrative
authority for anything else.
"""
In our environment we have different roles/organizations which steward
different resources. In this case
a central organization handles all campus accounts for
students/faculty/staff. They are not stewards of the resources
(like AFS) within a department. I am trying to make sure that in
trusting them for authentication for users (via kerberos) I
am not providing them with a method to log in a root onto my AFS cells.
This would be possible if they had a copy of the
afs/department.university.edu
password or keytab.
Cross realm trust seems to address this issue, but I'll have to hack
ptserver to allow me to specify unix UID's. A better method would be to
use nss_ldap or something
for afs UIDs and groups. Has anyone looked at that before? Are there
any large barriers to implementing it?
-chris