Talking about tokens.

Assar Westerlund assar at stacken.kth.se
Fri Mar 17 17:49:37 CET 2000


Per Boussard <Per.Boussard at era-t.ericsson.se> writes:
> On 16 Mar 2000, Johan Danielsson wrote:
> 
> > The only information available is the uid of whoever called
> > VIOCSETTOK.
> 
> If I have understood this kerberos-business correctly, the client
> requesting a service (in my case arlad getting me files on my behalf) will
> have to compose an authenticator and then send that together with the
> service-ticket (obtained from the tgs) to the afs-server. My understanding
> is that the client-name (user at cell) is used in the authenticator. What am
> I missing?

Yes, but as others have said, that's not the way it works with AFS.
The stuff that's available to you is (used by VIOCGETTOK, VIOCSETTOK):

struct ClearToken {
  int32_t AuthHandle;
  char HandShakeKey[8];
  int32_t ViceId;
  int32_t BeginTimestamp;
  int32_t EndTimestamp;
};

and the ViceId is never used by anything, only printed by klist.

The HandShakeKey is the session key from the kerberos ticket and that
is used in a challenge-response protocol when authenticating to the
file server.

My own opinion is that it's not worth the effort to set ViceId
correctly, but then Chris Wing disagreed and wrote the `klog' you can
use that does this.  Having some program (klist/tokens/whatever) look
up the Id in the pt-server seems a bad idea to me, since you cannot
guarantee the validity of ViceID anyways, so that information cannot
be trusted but users would probably believe it more.

Another option is removing the printing of Id's by klist (or make it
not the default). :-)

I hope this clarifies matters and partly our reasons for the way we
have done things.

/assar





More information about the Arla-drinkers mailing list