[OpenAFS] Re: what is aklog's algorithm for "deducing" what
cell to authenticate to?
Jeffrey Hutzelman
jhutz@cmu.edu
Fri, 30 Dec 2005 16:37:22 -0500
On Wednesday, December 28, 2005 01:44:26 PM -0500 Jeffrey Altman
<jaltman@secure-endpoints.com> wrote:
> A good solution for this would be to provide a new RPC that can be sent
> to any AFS service that requires authentication that would return a
> list of local authentication domains:
>
> * Kerberos 4: KERBEROS.REALM
>
> * Kerberos 5: KERBEROS.REALM
>
> * Kerberos 5: ANOTHER.REALM
>
> etc.
>
> Then aklog could obtain the list of AFSDB records and query the servers
> directly.
No, that would be a horrible solution. It's terribly insecure, and
introduces Kerberos-specific behavior at a time when we're trying to move
forward with a mechanism-independent security class. Really, Jeff, you
should know better.
-- Jeff