[OpenAFS] AFS Authentication from Apache?

[Charles Clancy]

On 19 Oct 2002, Derek Atkins wrote:

> Charles Clancy <security@xauth.net> writes:
>
> > I wrote a script that would grab a PAG, try to authenticate, then return
> > success or failure.  Since it directly called klog, it didn't need the
> > users to have NSS info to log in, and since it grabbed a new PAG, there
> > weren't any token overwriting issues.
>
> Hopefully you grabbed rather short-lived tokens?

It unlogged too.  Wouldn't the token die with the PAG, so what difference
would it make?

> Also, you do realize that PAG generation is limited to approx 1/sec?

Our site didn't have that much traffic.

Perhaps a better model would be to use a v4 kinit: check password without
ever getting a token.

Of course, none of this works if you're trying to use the obtained token
to access AFS space with apache.  My method was only intended to
authenticate, not authorize.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]