[OpenAFS] AFS Token / Kerberos v5 ticket

Rainer Toebbicke rtb@pclella.cern.ch
Tue, 20 Oct 2009 12:59:45 +0200


the "forge" code that Remi tried to get working is capable of decrypting an=
AFS token both for K4 and K5, however it can only re-encrypt a K4 one, not =

When he asked me for advice I suggested to drop that code and rather use=20
Heimdal's kadmin extract to temporarily extract a keytab entry for the user=
question and then simply do a "kinit -k" + aklog to build a new token for=20
shipment back to the batch worker.

This is also possible with MIT Kerberos, using a mod to ktutil developed by=

Sure enough, all this has to take place on a trusted server using an=20
authenticated and secure channel, no keys are available to the batch worker=

For both, once the batch job is running, within the ticket refresh period a=
occasional "kinit -R" + aklog is sufficient and safer.

BTW: for the brave, "impersonating" as a user (which is what your batch sys=
does in the end) is also possible without hacking or C-coding, using a=20
suitably mapped certificate, with Heimdal and even Windows. Probably MIT as=
well. Just increasingly tricky to keep it hackerproof.

Cheers, Rainer

Xavier Canehan schrieb:

> Our home made batch system used to save and forge kas tickets. No=20
> Kerberos 5, not very secure, easiest. Moreover, it was just navigating=20
> through bit fields to forge a ticket. No AFS primitive implied.
> We are migrating: away from current batch system and to Kerberos 5.
> During process, we have to modify our batch system, whilst main=20
> developer retired.
> As R=C3=A9mi worked on Kerberos 5 migration here, he has been volunteered=
> provided code to migrate our batch system. Thus, he is investigating=20
> several options to cope either with kas, fakeka, K5.
> He may have not been clear: we are not willing to put a keyfile in=20
> unsecure places. We have to modify our batch master and prepare the=20
> place for the next.
> Thanks to every one who helped, either with directions or code.
> R=C3=A9mi is adapting code from Rainer Toebbicke. If not successful, we w=
> certainly switch to Heimdal, as suggested by Derrick Brashear.

Rainer Toebbicke
European Laboratory for Particle Physics(CERN) - Geneva, Switzerland
Phone: +41 22 767 8985       Fax: +41 22 767 7155