[OpenAFS] Re: "ktadd -k <anywhere> afs/xyz@REALM" breaks AFS instantly?
Brandon S. Allbery KF8NH
Tue, 14 Feb 2006 07:54:23 -0500
On Feb 14, 2006, at 3:27 , Juha J=E4ykk=E4 wrote:
>> Keytabs are normally not supposed to be shared between multiple
>> machines, and this approach means that kadmind doesn't need to =20
>> have the
>> capability of retrieving keys from the KDC, which is an additional
>> separation of capability and an additional level of security.
> Except that AFS requires a shared keytab. Nice. :-) What about
> (Heimdal's) ktutil, does it have the same "problem" as ktadd? And how
Heimdal's "kt_extract" (kadmin command) extracts a key without =20
generating a new one. (This is generally considered a bad thing; I =20
could see it being limited to kadmin's "local mode" in the future.) =20
Other mechanisms will indeed create a new key.
> would an AFS cell recover from the unfortunate human error of an admin
> doing the line in the subject? This sounds like a disaster waiting to
> happen, there must be an easy way out.
With heimdal you could use ktutil to copy the newly extracted keytab =20
into the KeyFile:
ktutil copy FILE:mykt AFSKEYFILE:KeyFile
This would still leave all outstanding tokens broken, but "aklog" =20
should recover once the KeyFile is back in sync with the KDC.
brandon s. allbery [linux,solaris,freebsd,perl] =20
system administrator [openafs,heimdal,too many hats] =20
electrical and computer engineering, carnegie mellon university =20