[OpenAFS] running daemons on /afs and KeyFile question

[Mihai Lozoveanu]

Hi,


Did anybody implement  a solution for running a  daemon under afs root tokens on
the  afs file space  without  keeping on the local   disk the kerberos 5  keytab
corresponding to the afs root account ?   I mean a sort  of a wrapper around the
daemon that gets the  keytab from  a  server (over encrypted  channel probably),
gets the tokens with setpag and runs the particular daemon.


Another  issue that I  would  like to  ask  advise  for  is distributing of  the
KeyFile. I understand that there cannot be different KeyFile files for different
servers in the network because this KeyFile gets mapped to the same afs entry in
the kerberos 5 database. How dangerous  is it in terms  of security to give this
KeyFile to a user who wants to export something to afs space ? Can it be exploit
this KeyFile to get unauthorized access to the rest of afs space ?


Thanks very much for your help,
Mihai.