[OpenAFS] ka-forwarder and kaserver
Wed, 19 Nov 2008 14:34:30 -0600
This is interesting. I'll look into it and see if it will work with
what we need for now. Otherwise, I'll try to expedite our kerberos
decisions so that I can just figure out how to migrate our kaserver
stuff (and the associated users, etc) to a new krb5 install.
Thanks, and I'll let you know how this works out!
On Wed, Nov 19, 2008 at 03:25:17PM -0500, Marcus Watts wrote:
> Ok. They're on the same subnet. This permits an interesting 'trick',
> which works like this:
> Client sends to special program on host1.
> special program on host1 forwards the packet to host2,
> using the client's ip address.
> host2 receives the packet,
> thinks it came from client,
> does its thing, then sends to client.
> Client receives the packet from host2, associates it with originating
> rpc and completes the call.
> Basically, the packets follow a triangular path. Here's sample
> code for the very small "special program" on host1:
> This uses a raw socket in order to "forge" packets that appear to come
> from the client. It needs to run on the same lan segment so that the
> routers don't have an opportunity to discard the packet that's originating
> from the "wrong" subnet.
> We used something like this at umich.edu for many years to locate
> buserver and budb on a separate host from the database servers, back
> when db server real estate was a scarce resource.
> -Marcus Watts
Computer Aided Engineering - UW Madison