cron on AFS files]

Peter Scott Peter.J.Scott@jpl.nasa.gov
Sat, 03 Mar 2001 18:04:07 -0800 

At 02:07 PM 3/3/01 -0500, Ken Hornstein wrote:
>But I think if you make the conditions for using this program, "You have
>to have a krb.conf with these entries in it", then people who wanted
>to use this program would be highly motivated to fix it.

That's quite logical.  I'll take it up with the policy makers.

> >I'm aware of this routine, we even use it, but the documentation is
> >thoroughly inadequate to understanding it (all I have is
> >/afs/transarc.com/public/afsps/doc/progref/3.0/main.ps, anyway).  Does that
> >do failover?  But in any case, it takes a password, and for improving
> >gettoken, I need something that takes a key.
>
>Geez ... you've got the source, Pete! :-)

Doh!  After all these years the habit of depending on Transarc dies hard.

> From looking at the source to ka_UserAuthenticateGeneral, I think you
>need to call ka_GetAuthToken and ka_GetAFSTicket (look at GetTickets in
>kauth/user.c).

Thanks, I'll hop on it.

> >> >>The advantage of gettoken is that it uses a srvtab and not a user
> >> >>password.  The srvtab still needs to be stored somewhere on the local
> >> >>machine, and is a security issue, but it's not quite as bad as
> >> >>storing a naked plaintext password.
> >>
> >>I don't really agree here; it's only _slightly_ better (I'm talking a
> >>hair better), since the key is a password-equivalant.
> >
> >Sure, but do you have a better idea?
>
>Oh, please don't understand me; I think this is a reasonable idea, _as
>long as you understand the limitations and vulnerabilities_.  We do
>this here as well.  But telling people that storing a key isn't as bad
>as a password is doing them a disservice, IMHO.

We don't, but to quote Dennis Ritchie (on X), "Sometimes when you fill a 
vacuum, it still sucks."

>In case you're wondering .... for users that want this at our site, we
>give them a special "cron" instance (kenh/cron in V5 format, kenh.cron in
>V4 format) and let the user add the cron instance to the appropriate ACLs
>in AFS.  Since that special cron user has restricted priviledges (they
>can't use it for interactive login by default), I'm confortable with
>that tradeoff.  But since we use Kerberos 5 with AFS, we use Kerberos 5
>tools for that, so that won't help you.

Hmmph.  So what do your cron users do when they want to write cron jobs 
that modify files in AFS?  Trust all their fellow cron users?

--
Peter Scott
Peter.J.Scott@jpl.nasa.gov