On 29 Sep 2009, at 10:31, Remi Ferrand wrote: > Hye, > > I need help to create a little hack on Kerberos / AFS.
You'd be much better off asking this question on the openafs-devel list, to which I've directed follows. This is definitely off-topic for krb-devel, and is actually not particularly Kerberos dependent at all. > My final aim is to forge Tokens (Ticket Granting Server for AFS > (Andrew File System)) without any passwords from the users (directly > with the Master Key). You don't need to use the Kerberos master key for this - you can forge AFS tokens using just the afs/<cell>@<REALM> key that's stored in your servers keyfiles. The daemon that lives behind gssklog already forges AFS tokens - that's probably a good location to look for code. Hope that helps, Simon. > Our production system works as follow : > - the client SSH onto a machine and is granted an AFS Token obtained > with aklog. > At this very step, the user have the Ticket Granting Ticket krbtgt/ > re...@realm ticket and the afs/c...@realm Ticket Granting Service. > It also have an AFS Token obtained with aklog. > - the user will then submit a job to our Batch system. > - the job will be processed X hours/minutes later and could last a > long time. > > Our problem is that some jobs could last more than the AFS token > lifetime. > Once this lifetime is expired, jobs could not access AFS filesystems > anymore and will abort. > > My idea is to implement a new functionnality to our Batch system: > the capacity of "Token regeneration". > My first idea was to : > * store the Master Key K/m...@realm in a KeyTab. > * store the TGT somewhere once the user has been granted the TGT (on > the client side). > * once the Token is going to expire, I would like to read the K/M > from the KeyTab and use it to decrypt the user TGT stored at the > previous step. > * once the user TGT has been decrypted with the K/M I will then be > able to modify expiration time and other fields. > > I still have many questions about details: > * the stash file is used to decrypt the DataBase, isn't it ? > * Every DataBase entry is crypted with the Master Key, isn't it ? > * On the KDC side, the TGT is decrypted with the Master Key in the > DataBase (is this the K/m...@realm entry ?) > * when the TGT is in the client cache, the TGT is encrypted with the > user password, isn't it ? > * If I have my K/M in a KeyTab, am I able to decrypt the TGT stored > in the client cache ? > > Is this possible ? > Any other is accepted... > > Thanks in advance for your help :) > > > -- > > Remi Ferrand | Institut National de Physique Nucleaire > Tel. +33(0)4.78.93.08.80 | et de Physique des Particules > Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/ > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
