cron on AFS files]
Ken Hornstein
kenh@cmf.nrl.navy.mil
Sat, 03 Mar 2001 00:16:47 -0500
>But most of our AFS clients don't have an /etc/krb.conf. That's why our
>primary authentication server has the alias 'kerberos', because we don't
>have the ability to dictate the contents of /etc/krb.conf or environment
>variables on the users' workstations. Yet klog manages to exercise
>redundancy in the face of this... how?
You certainly have the ability to dictate the contents of /usr/vice/etc/
CellServDB on your AFS clients, don't you? :-)
FWIW, klog doesn't use the V4 Kerberos network protocol; it uses
RX to talk to one of the kaservers listed in your CellServDB. I think
there's an API function that does what you want (probably something like
ka_UserAuthenticateGeneral(), but I forget now).
>>The advantage of gettoken is that it uses a srvtab and not a user
>>password. The srvtab still needs to be stored somewhere on the local
>>machine, and is a security issue, but it's not quite as bad as
>>storing a naked plaintext password.
I don't really agree here; it's only _slightly_ better (I'm talking a
hair better), since the key is a password-equivalant.
--Ken