Questions on kerb 4 vice kerb 5
Henry B. Hotz
hotz at jpl.nasa.gov
Thu Nov 15 21:08:55 CET 2001
At 8:47 AM -0800 11/15/01, Thomas Vincent wrote:
>Then it is K5 over the wire?
>
>On Thursday, November 15, 2001, at 02:07 AM, Magnus Ahltorp wrote:
>
>>Heimdal afslog is the program I use, and it gets AFS tokens by
>>converting a krb5 credential to krb4 and inserting that into the
>>kernel. The rxkad protocol is the weak link here, I think.
Maybe I wasn't clear enough.
As I understand it there are 3 possibly relevant wire protocols:
rx the native AFS authentication, closely related to k4
k4 supported by the AFS kaserver with a non-standard string-to-key
k5 ¿usable? by AFS with non-standard authentication tools
rx and k4 both suffer the same well-known replay vulnerability.
Could I close both of them off with a firewall and still get
everything I need using only k5?
If I understand what Magnus said then the answer is yes. The
authentication program to use is afslog (from Heimdal), and it will
work with Transarc/OpenAFS as well as Arla. That sounds like exactly
what I wanted to hear.
Thank you.
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Arla-drinkers
mailing list