Hye, I need help to create a little hack on Kerberos / AFS.
My final aim is to forge Tokens (Ticket Granting Server for AFS (Andrew File System)) without any passwords from the users (directly with the Master Key).
Our production system works as follow :- the client SSH onto a machine and is granted an AFS Token obtained with aklog. At this very step, the user have the Ticket Granting Ticket krbtgt/re...@realm ticket and the afs/c...@realm Ticket Granting Service. It also have an AFS Token obtained with aklog.
- the user will then submit a job to our Batch system.- the job will be processed X hours/minutes later and could last a long time.
Our problem is that some jobs could last more than the AFS token lifetime.Once this lifetime is expired, jobs could not access AFS filesystems anymore and will abort.
My idea is to implement a new functionnality to our Batch system: the capacity of "Token regeneration".
My first idea was to : * store the Master Key K/m...@realm in a KeyTab.* store the TGT somewhere once the user has been granted the TGT (on the client side). * once the Token is going to expire, I would like to read the K/M from the KeyTab and use it to decrypt the user TGT stored at the previous step. * once the user TGT has been decrypted with the K/M I will then be able to modify expiration time and other fields.
I still have many questions about details: * the stash file is used to decrypt the DataBase, isn't it ? * Every DataBase entry is crypted with the Master Key, isn't it ?* On the KDC side, the TGT is decrypted with the Master Key in the DataBase (is this the K/m...@realm entry ?) * when the TGT is in the client cache, the TGT is encrypted with the user password, isn't it ? * If I have my K/M in a KeyTab, am I able to decrypt the TGT stored in the client cache ?
Is this possible ? Any other is accepted... Thanks in advance for your help :) -- Remi Ferrand | Institut National de Physique Nucleaire Tel. +33(0)4.78.93.08.80 | et de Physique des Particules Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
