[OpenAFS] AuthServer.Admin: What is the purpose of, and what should the setting be?

ted creedon tcreedon@easystreet.com
Tue, 13 Jan 2004 09:18:38 -0800

Is AuthServer.Admin the same user.role as admin in the IBM Quick Start

-----Original Message-----
From: openafs-info-admin@openafs.org =
On Behalf Of Ted Anderson
Sent: Tuesday, January 13, 2004 4:34 AM
To: Dave Blakemore
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] AuthServer.Admin: What is the purpose of, and =
should the setting be?

On 12/23/2003 10:54, Dave Blakemore wrote:
> Could someone explain in general terms, what the purpose is for the
> AuthServer.Admin id, and what the setting should/need to be,  as in =
> would: kas e AuthServer.Admin normally return?

The AuthServer.Admin identity has basically two roles: it is repository=20
of the kaservers master key and it is the service used for=20
administrative operations on the kaserver.  The master key is really=20
just used to generate random numbers used by the server, e.g. for=20
generating session keys.  An AuthServer.Admin service ticket is used by=20
the kas command when performing its operations.  It is a bit of a=20
security flaw to be giving out samples of ciphertext (i.e. admim service =

tickets) using the same key that is used to generate session keys.=20
However, the kaserver changes this key automatically using fairly good=20
sources of random numbers so the risk is very small.

The AuthServer.Admin settings are unlikely to need adjustment.  The=20
usual settings affecting the role of any service principal apply as=20
normal, except its password cannot be changed.

Hope This Helps,
Ted Anderson

OpenAFS-info mailing list