[OpenAFS] AuthServer.Admin: What is the purpose of, and what should the setting be?

Ted Anderson TedAnderson@mindspring.com
Tue, 13 Jan 2004 07:34:18 -0500


On 12/23/2003 10:54, Dave Blakemore wrote:
> Could someone explain in general terms, what the purpose is for the
> AuthServer.Admin id, and what the setting should/need to be,  as in what
> would: kas e AuthServer.Admin normally return?

The AuthServer.Admin identity has basically two roles: it is repository 
of the kaservers master key and it is the service used for 
administrative operations on the kaserver.  The master key is really 
just used to generate random numbers used by the server, e.g. for 
generating session keys.  An AuthServer.Admin service ticket is used by 
the kas command when performing its operations.  It is a bit of a 
security flaw to be giving out samples of ciphertext (i.e. admim service 
tickets) using the same key that is used to generate session keys. 
However, the kaserver changes this key automatically using fairly good 
sources of random numbers so the risk is very small.

The AuthServer.Admin settings are unlikely to need adjustment.  The 
usual settings affecting the role of any service principal apply as 
normal, except its password cannot be changed.

Hope This Helps,
Ted Anderson