[OpenAFS] "reauth" code?

Russ Allbery rra@stanford.edu
Thu, 23 Aug 2012 15:30:48 -0700


Gary Gatling <gsgatlin@ncsu.edu> writes:

> Thanks so much.

> We are using  AFS with Kerberos 5.

In that case, you want to toss out anything that's using the ka_*
functions, such as reauth, because they won't work.  Those are all
specific to the kaserver.

kstart should do what you want, I believe, in a Kerberos v5 sort of way,
although I forget if reauth was one of the programs that cached the
password in memory.  If so, I have intentionally not implemented that
functionality in kstart (at least yet) since it makes me unhappy from a
security perspective, but I probably will eventually.  Currently, kstart
requires that you create a keytab if you want to do persistant
reauthentication.  (One of the reasons why I'll probably implement it
anyway is that storing the password in memory is probably still more
secure than creating a keytab file on disk.)

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>