[OpenAFS] Manually Creating Cross Realm Users
Derek Atkins
warlord@MIT.EDU
05 Aug 2003 16:31:45 -0400
Derrick J Brashear <shadow@dementia.org> writes:
> (Please don't CC me on your reply)
>
> On Tue, 5 Aug 2003, Chris McClimans wrote:
>
> > There is no way to create a openafs server keytab from a password eh?
>
> Shouldn't be hard to write, instead of reading a key from input, read a
> password and apply string_to_key to it. You should be able to steal the
> code you need from klog or whatever and stick in bos.
>
> > authority over the afs/cell. If they create the keytab and send it to
> > us. They could connect
>
> Oh, well, if what you have is actually a krb5 keytab, heimdal has a
> utility (ktutil, in fact) which will read a keytab and write an AFS
> KeyFile)
'asetkey' does this...
However, also note that if they administer the kerberos realm they can
print themselves a ticket as any user. Not understanding your threat
model it's hard to give you advice.
> > Maybe I could hack the database offline? Does anyone have pointers to
> > the format
> > or other suggestions?
>
> pt_util will dump it and you can edit the dump, but I'm not sure what you
> mean to be doing.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available