[OpenAFS] afs@REALM purpose
Charles Clancy
security@xauth.net
Thu, 12 Jun 2003 21:39:40 -0500 (CDT)
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> What is the purpose of afs@REALM principal? What is it used for? What
> kerberos policies should be set to it? How long lifetime does it need?
> Thank you.
It's the shared key between the TGS (ticket granting server, part of the
KDC) and the AFS server. You (or aklog, more precisely) present your krb5
TGT to the TGS and say "hey, I want to talk to AFS". The TGS says "okay"
and then forms a service ticket. This ticket is then encrypted with the
afs@REALM principal's password and sent to the client. The AFS server is
[hopefully] the only other party who knows this key, and therefore if a
client presents a ticket signed with this key, it knows it could only have
been generated by the TGS and should therefore be trusted.
Bottom line: anyone who knows the password to the afs@REALM account could
theoretically forge any AFS token they wanted. I wonder, are there any
tools to exploit this for a known service principal password...
The lifetime of user tokens can be no longer than the lifetime of this
principal's key. So, even if your users' lifetimes are 25 hours, they
will only be able to obtain 10 hour long tokens if the lifetime on
afs@REALM is 10 hours.
[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]