[OpenAFS] Re: foreign-realm members of system:administrators have weakened powers?

Ken Hornstein kenh@cmf.nrl.navy.mil
Fri, 27 Jan 2006 10:54:40 -0500

>Indeed, it should.  What Russ is alluding to here is the fact that most 
>aklog's determine what realm to use by applying the normal Kerberos 
>host-to-realm mapping on the hostname of one of the DB servers.  Of course, 
>this introduces all sorts of security issues related to trusting the names 
>in AFSDB records, but that's been true for a while.

You know, I've never been happy that aklog does that (I can't take all
the blame for that one; it was like that when I first got aklog).  I
understand why it was done, but it was always a kludge.

What do people think about the idea of having an AFS RPC which said,
"Hey, what's your Kerberos realm?"  This would have to be done
unauthenticated of course, so I don't see it being any better from a
security standpoint, but it would solve this particular problem, and it
really makes more sense.

(Since you don't forward TGTs to AFS fileservers, I don't view it as a
huge problem .... I admit it's not ideal and depending on what you do
with AFS I can think of some interesting possible attacks, but it's
certainly not worse than anything people are doing now).