[OpenAFS] Tokens that do not expire

Charles Clancy security@xauth.net
Sat, 19 Oct 2002 01:43:39 -0500 (CDT)


> >This of course *requires* either a hardcoded password in a
> >reauthentication script or some other file-based method of obtaining
> >the tokens (such as a kerberos srvtab/keytab).
>
> One additional thing to consider ... a ticket which never expires is
> equivalant to a hardcoded password/Kerberos keytab, so it's not like a
> never-expiring ticket gains you much in the way of security ...

Or for that matter, why not just use an IP ACL.  Similar level of security
to a hardcoded password (assuming hacked machine == stolen IP), but no
tokens to worry about.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]