[OpenAFS] Manually Creating Cross Realm Users

Derek Atkins warlord@MIT.EDU
05 Aug 2003 16:31:45 -0400

Derrick J Brashear <shadow@dementia.org> writes:

> (Please don't CC me on your reply)
> On Tue, 5 Aug 2003, Chris McClimans wrote:
> > There is no way to create a openafs server keytab from a password eh?
> Shouldn't be hard to write, instead of reading a key from input, read a
> password and apply string_to_key to it. You should be able to steal the
> code you need from klog or whatever and stick in bos.
> > authority over the afs/cell. If they create the keytab and send it to
> > us. They could connect
> Oh, well, if what you have is actually a krb5 keytab, heimdal has a
> utility (ktutil, in fact) which will read a keytab and write an AFS
> KeyFile)

'asetkey' does this...

However, also note that if they administer the kerberos realm they can
print themselves a ticket as any user.  Not understanding your threat
model it's hard to give you advice.

> > Maybe I could hack the database offline? Does anyone have pointers to
> > the format
> > or other suggestions?
> pt_util will dump it and you can edit the dump, but I'm not sure what you
> mean to be doing.


       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available