[OpenAFS-devel] token format
Jeffrey Hutzelman
jhutz@cmu.edu
Wed, 05 Jul 2006 12:57:33 -0400
On Monday, July 03, 2006 02:12:15 PM -0400 Sean O'Malley <omalleys@msu.edu>
wrote:
> If I was going to hack at say the pam_krb5afs module.
> and just wanted to auth, set a pag, grab a ticket and then a token
> against a krb5 cell and ignore ALL backwards compatibility (mainly for
> simplicity sake.) I am trying to avoid 524 support, krb IV, and a few
> other things which just complicate my life when building this.
>
> Am I looking at 2b token support or have we progressed to just using
> kerberos tickets? :)
Either will work, as long as you use the correct magic "kvno" to let the
server know what's going on, and as long as the enctypes are DES.
The 2b format was designed so that existing AFS clients and krb524-aware
aklog and equivalent could be used without modification, to enable a quick
transition. As such, it had to fit in the available space in existing
cache managers, and be something that could be substituted for a krb4
ticket in the krb524 response (which is little more than a ticket to begin
with). Fileservers have supported full Kerberos V5 tickets for about as
long as 2b.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA