[OpenAFS] AFS Authentication from Apache?
Derek Atkins
warlord@MIT.EDU
19 Oct 2002 13:25:42 -0400
Charles Clancy <security@xauth.net> writes:
> > Hopefully you grabbed rather short-lived tokens?
>
> It unlogged too. Wouldn't the token die with the PAG, so what difference
> would it make?
PAGs never "die" (per se). Tokens do. PAGs are GCed periodically,
but I don't know the GC algo offhand.
> > Also, you do realize that PAG generation is limited to approx 1/sec?
>
> Our site didn't have that much traffic.
>
> Perhaps a better model would be to use a v4 kinit: check password without
> ever getting a token.
>
> Of course, none of this works if you're trying to use the obtained token
> to access AFS space with apache. My method was only intended to
> authenticate, not authorize.
A v4 tgt is probably "better" in terms of authenticating. Just make
sure you get a TGT and then a service ticket for a "known" key (like
http/<hostname>) so you dont get hit with the KDC-spoofing attack.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available