[OpenAFS] ka-forwarder and kaserver

[Stefan Strandberg]

This is interesting.  I'll look into it and see if it will work with
what we need for now.  Otherwise, I'll try to expedite our kerberos
decisions so that I can just figure out how to migrate our kaserver
stuff (and the associated users, etc) to a new krb5 install.

Thanks, and I'll let you know how this works out!

-stefan

On Wed, Nov 19, 2008 at 03:25:17PM -0500, Marcus Watts wrote:
> Ok.  They're on the same subnet.  This permits an interesting 'trick',
> which works like this:
> 
> Client sends to special program on host1.
> special program on host1 forwards the packet to host2,
> 	using the client's ip address.
> host2 receives the packet,
> 	thinks it came from client,
> 	does its thing, then sends to client.
> Client receives the packet from host2, associates it with originating
> 	rpc and completes the call.
> 
> Basically, the packets follow a triangular path.  Here's sample
> code for the very small "special program" on host1:
> 
> /afs/umich.edu/group/itd/build/mdw/tmp/buredir-m2.tgz
> 
> This uses a raw socket in order to "forge" packets that appear to come
> from the client.  It needs to run on the same lan segment so that the
> routers don't have an opportunity to discard the packet that's originating
> from the "wrong" subnet.
> 
> We used something like this at umich.edu for many years to locate
> buserver and budb on a separate host from the database servers, back
> when db server real estate was a scarce resource.
> 
> 					-Marcus Watts
> 

-- 
Stefan Strandberg
UNIX group
Computer Aided Engineering - UW Madison
stefan@cae.wisc.edu