Talking about tokens.

Johan Danielsson joda at pdc.kth.se
Mon Mar 20 15:13:56 CET 2000


Per Boussard <Per.Boussard at era-t.ericsson.se> writes:

> 0) The struct ClearToken is issued by kerberos, not by the afs
> server.

Yes, and no. The ClearToken is a subset of the credentials returned by
the KDC. The ticket is also stuffed into the kernel (but that, as the
name implies, isn't part of the ClearToken).

> 1) HandShakeKey is a 64 bit random number. Nothing is coded in
> it. Each time I authenticate afresh (get new tokens, say) I get a
> new HandShakeKey.

It's the session key from the Kerberos ticket.

> 2) AuthHandle is a handle that (as a handle) is private to the afs
> server and that tells the server what afs id I am.

No, that's the purpose of the ViceId. The AuthHandle is a pointer to
the secret key the ticket is encrypted with (equal to the kvno). In
practice I don't think the ViceId supplied by the client isn't used
for anything (the server does a lookup of the name in the ticket to
get the real vid).

/Johan





More information about the Arla-drinkers mailing list