Talking about tokens.
Per Boussard
Per.Boussard at era-t.ericsson.se
Thu Mar 16 10:26:21 CET 2000
I have more than once been annoyed by the behaviour of the `tokens` and
`klist -T` commands in how they present the identity information
associated with the token. It gives the (AFS ID somenumber) which often,
if I do strange things, is strictly incorrect.
For example, if I get tokens on my linux-box where my uid is 500, then the
AFS ID somenumber will be 500. This is not correct. The AFS ID associated
with the token is another number. There are numerous other games you can
play with tickets and tokens and the tramsarc-client too is badly confused
and the information. One other funny example is if I get tgts in a ticket
file, su another user, copy the ticket file and afslog. Then the AFS ID
presented from klist -T or tokens will be the uid of the su`d user, but
the tokens, if you try using them, are obviously the right ones (anything
else would be a very bad security breach of kerberos/afs).
I would like the klist -T and tokens commands to present the AFS ID as
user.instance at realm. This information is obviously there somewhere (in the
runing arlad) since otherwise it could not produce an authenticator to
send to the afs server (I am way out on thin ice here).
Is this a good idea, or are there strong arguments against? We would not
by default behave the same (in my opinion broken) way as transarcs tokens,
but is that important?
//Per
----
Per Boussard, KI/ERA/T/VA Office: +46 8 404 55 11
UNIX System Administrator Fax: +46 8 757 55 50
Ericsson Radio Systems AB Home: +46 8 570 349 67
S-164 80 STOCKHOLM, SWEDEN Email: Per.Boussard at era-t.ericsson.se
More information about the Arla-drinkers
mailing list