forwarding tokens to other machine

assar@stacken.kth.se assar at stacken.kth.se
Wed Aug 4 22:23:40 CEST 1999


Herbert Huber <Herbert.Huber at lrz-muenchen.de> writes:
> In "Transarcs" or "CODINE´s "version of GetToken the following
> structures are printed to STDOUT in the following order:
> ktc_principal service
> ktc_principal client
> ktc_token token
> Redirecting the output to the local harddisk produces a file with a
> length of 752 bytes, whereas your GetToken binary writes only 92 bytes
> to STDOUT. The output of Transarcs GetToken is the same, using
> arla or the original AFS client. So you are right, there seems to be no
> difference in the token structure.

Do you need to be compatible with that program?

> By extend I wanted to say extending the lifetime of the token. This can
> be done by having the secret key of the server available, decoding the
> AFS token and fabricate a new token, using the information of the old
> token (AFS ID, etc.).

Yes, this can be done with the kerberos ticket and then creating a new
ticket from that.  The functions in krb4 corresponding to the Transarc
decodeTicket() and encodeTicket() would be decomp_ticket() and
krb_create_ticket().

A program that uses these functions to renew kerberos tickets is
available at <ftp://ftp.pdc.kth.se/home/assar/Public/tfutil.tar.gz>.
You could either just call afslog after having renew the ticket or if
that isn't available any longer, use gettoken beforehand.

/assar





More information about the Arla-drinkers mailing list