[OpenAFS] Preferred method for turning MIT Kerberos tickets into AFS tokens in Linux
Ken Hornstein (Contractor)
kenh@cmf.nrl.navy.mil
Wed, 24 Nov 2004 14:42:10 -0500
>> So, what's happening with this in the long term? Well, I've imported
>> aklog into OpenAFS (it doesn't built yet, but hey, it will). fakeka
>> is now in MIT Kerberos. I suspect asetkey should go into OpenAFS,
>> but I haven't talked to Derrick about it yet. I haven't yet figured
>
>I don't know that I get to decide, but I agree, asetkey belongs.
Well, I try not to piss you off _that_ much :-)
>> out what to do with afs2k5db and ka-forwarder; ka-forwader could probably
>> go into OpenAFS, but afs2k5db is a tough one.
>
>afs2k5db would be nice, but does it still use internal headers?
Yes ... although it occurs to me that you could make it so it doesn't.
The real issue is that the database entries are encrypted in the master
key, and you could either write code to read it from the keyboard or
just parse the keyfile yourself (it's not that hard). The other bit is
that you need to write a replacement for krb5_dbekd_encrypt_key_data(),
but you could probably do that with public MIT APIs (Hm, I just looked
at it; it doesn't look that complicated). Since MIT seems to want to
keep the database dump file format stable, it shouldn't matter if they
update it, as long as they support older dump file formats.
--Ken