[OpenAFS] AFS Authentication from Apache?

Derek Atkins warlord@MIT.EDU
19 Oct 2002 13:25:42 -0400


Charles Clancy <security@xauth.net> writes:

> > Hopefully you grabbed rather short-lived tokens?
> 
> It unlogged too.  Wouldn't the token die with the PAG, so what difference
> would it make?

PAGs never "die" (per se).  Tokens do.  PAGs are GCed periodically,
but I don't know the GC algo offhand.

> > Also, you do realize that PAG generation is limited to approx 1/sec?
> 
> Our site didn't have that much traffic.
> 
> Perhaps a better model would be to use a v4 kinit: check password without
> ever getting a token.
> 
> Of course, none of this works if you're trying to use the obtained token
> to access AFS space with apache.  My method was only intended to
> authenticate, not authorize.

A v4 tgt is probably "better" in terms of authenticating.  Just make
sure you get a TGT and then a service ticket for a "known" key (like
http/<hostname>) so you dont get hit with the KDC-spoofing attack.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available