Talking about tokens.
Johan Danielsson
joda at pdc.kth.se
Mon Mar 20 15:13:56 CET 2000
Per Boussard <Per.Boussard at era-t.ericsson.se> writes:
> 0) The struct ClearToken is issued by kerberos, not by the afs
> server.
Yes, and no. The ClearToken is a subset of the credentials returned by
the KDC. The ticket is also stuffed into the kernel (but that, as the
name implies, isn't part of the ClearToken).
> 1) HandShakeKey is a 64 bit random number. Nothing is coded in
> it. Each time I authenticate afresh (get new tokens, say) I get a
> new HandShakeKey.
It's the session key from the Kerberos ticket.
> 2) AuthHandle is a handle that (as a handle) is private to the afs
> server and that tells the server what afs id I am.
No, that's the purpose of the ViceId. The AuthHandle is a pointer to
the secret key the ticket is encrypted with (equal to the kvno). In
practice I don't think the ViceId supplied by the client isn't used
for anything (the server does a lookup of the name in the ticket to
get the real vid).
/Johan
More information about the Arla-drinkers
mailing list