[OpenAFS-devel] How can I use rsh to connect with AFS
Jeffrey Hutzelman
jhutz@cmu.edu
Tue, 15 Jan 2002 19:56:57 -0500 (EST)
On Tue, 15 Jan 2002, Neulinger, Nathan wrote:
> I don't remember for certain, but I know many of those types of tools passed
> the token over the net in the clear - they didn't actually use kerberos
> ticket forwarding. They just did a GetToken, and wrote the token over the
> socket to the remote connection, which did a SetToken.
That would be because (a) Kerberos V4 doesn't have ticket forwarding, and
(b) these things likely predate AFS's use of Kerberos. That said, they
are broken in at least three ways:
- all the standard rcmd insecurities, plus they are ancient
- they pass tokens over the net in the clear
- IIRC, some of these allow logins based on the received token
without first doing proper ticket validation