[31514] in Kerberos
Hack Kerberos / AFS
daemon@ATHENA.MIT.EDU (Remi Ferrand)
Tue Sep 29 04:32:25 2009
Message-ID: <4AC1C5D4.8040903@cc.in2p3.fr>
Date: Tue, 29 Sep 2009 10:31:16 +0200
From: Remi Ferrand <remi.ferrand@cc.in2p3.fr>
MIME-Version: 1.0
To: Kerberos List <kerberos@mit.edu>, Kerberos-Dev List <krbdev@mit.edu>
Reply-To: remi.ferrand@cc.in2p3.fr
Content-Type: multipart/mixed; boundary="===============0491793905=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============0491793905==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------ms070505070005070403000105"
This is a cryptographically signed message in MIME format.
--------------ms070505070005070403000105
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hye,
I need help to create a little hack on Kerberos / AFS.
My final aim is to forge Tokens (Ticket Granting Server for AFS (Andrew
File System)) without any passwords from the users (directly with the
Master Key).
Our production system works as follow :
- the client SSH onto a machine and is granted an AFS Token obtained
with aklog.
At this very step, the user have the Ticket Granting Ticket
krbtgt/REALM@REALM ticket and the afs/cell@REALM Ticket Granting
Service. It also have an AFS Token obtained with aklog.
- the user will then submit a job to our Batch system.
- the job will be processed X hours/minutes later and could last a long
time.
Our problem is that some jobs could last more than the AFS token lifetime.
Once this lifetime is expired, jobs could not access AFS filesystems
anymore and will abort.
My idea is to implement a new functionnality to our Batch system: the
capacity of "Token regeneration".
My first idea was to :
* store the Master Key K/M@REALM in a KeyTab.
* store the TGT somewhere once the user has been granted the TGT (on the
client side).
* once the Token is going to expire, I would like to read the K/M from
the KeyTab and use it to decrypt the user TGT stored at the previous step.
* once the user TGT has been decrypted with the K/M I will then be able
to modify expiration time and other fields.
I still have many questions about details:
* the stash file is used to decrypt the DataBase, isn't it ?
* Every DataBase entry is crypted with the Master Key, isn't it ?
* On the KDC side, the TGT is decrypted with the Master Key in the
DataBase (is this the K/M@REALM entry ?)
* when the TGT is in the client cache, the TGT is encrypted with the
user password, isn't it ?
* If I have my K/M in a KeyTab, am I able to decrypt the TGT stored in
the client cache ?
Is this possible ?
Any other is accepted...
Thanks in advance for your help :)
--
Remi Ferrand | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
--------------ms070505070005070403000105
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIM2zCC
A20wggJVoAMCAQICAQIwDQYJKoZIhvcNAQEEBQAwKzELMAkGA1UEBhMCRlIxDTALBgNVBAoT
BENOUlMxDTALBgNVBAMTBENOUlMwHhcNMDEwNDI3MDU0NjQ5WhcNMTEwNDI1MDU0NjQ5WjA0
MQswCQYDVQQGEwJGUjENMAsGA1UEChMEQ05SUzEWMBQGA1UEAxMNQ05SUy1TdGFuZGFyZDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANzhHiE9BovqvV60iNsPk5e0bQc9hmIA
Lcr/tUqO51akj2Es8aAqq/Yq3Xwsv+91VQusCU7nTmHA5wzwkBVFEgLCjOvDEmTiYxAYLssH
MdmB5dwpgpsxVuKBHopvp+ipWBFEVoNds054cC3ftv1ygUXV8e5Nzu++1T0MkCBFmgmArw9M
2iAOgL86s+sngMC5D8ChTkDcOv1qKr9A1SxxgPn4umvk6ioAqy++mvCndm2YKZwPL/BC8hiX
W8n2zBlfusK+EtJcsJCUwLfLBgTvjzDtMi16SveTu6AJpLTuM8vQg5u1tbOQ3o6QHlmcINVL
Hu3XTE+G+hw6KqHprAWgnb8CAwEAAaOBkjCBjzAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRn
WaXlB3RJA+8Fz8wupBjVEMiePDBTBgNVHSMETDBKgBRW62i50lx+mLWlU8ORb2NYxPlrt6Ev
pC0wKzELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENOUlMxDTALBgNVBAMTBENOUlOCAQAwCwYD
VR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4IBAQAGA0eDckWQwk7hIderF6kBVQbKQG1Voh1e
6+IUI1nkCeKQ9jyNNgYPS6cmI2XC6gaacru4jMuKX+95NiV+ANfzBpT7g0QpJjfH7umHzmyG
gBtxPdJir/bNYmxTD+Z6kwCMey4z4EEdqr5lmHbxlQd0s+Y/U3XVSwY2SynE9tyOE4BAEHOC
rRV7BHFQtTcz8shku6EQfjbGra9vcFKm0a7MzLqw6FkSj2INrQPdSyroiTmIUS/tYei3MIfb
J1VtZoejUQmAYXFRBb4THdlBMPx1XwqWmxj/vpCBtBPAchEI/Wqaage99IMstGA2ZAf6PWqn
sJAEdoPdM8s04heYBAuhMIIEsTCCA5mgAwIBAgIDAJceMA0GCSqGSIb3DQEBBQUAMDQxCzAJ
BgNVBAYTAkZSMQ0wCwYDVQQKEwRDTlJTMRYwFAYDVQQDEw1DTlJTLVN0YW5kYXJkMB4XDTA5
MDIwNjA4MTA1MVoXDTExMDIwNjA4MTA1MVowbjELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENO
UlMxEDAOBgNVBAsTB1VTUjY0MDIxFTATBgNVBAMTDFJlbWkgRmVycmFuZDEnMCUGCSqGSIb3
DQEJARYYcmVtaS5mZXJyYW5kQGNjLmluMnAzLmZyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAxBuDf5CGn1V0n2nqQQnVO2pPfHQ3E57a7jHNmZNYD3aOF9WVJjXwQfPpbwcE
m10vP/MURe/QjlN8ImcRCGNXybAsQyDV839HFuvUCN92Qju9B2IoQx/kUlmu7Gtcnzt2aTVb
jexZHdGkiv5GkWseqTOBXmDRfCOSDiowUX8YeSqEs+s0M0Urva5jLhyGIQRUBGvp7U0z0wug
XzUBufJS9i2fO4OvwZBqyCigOBfDfY/18Jx3haJadKaeG23pAJkeGPMit7L/gMfWIVYQ8kQa
F6ddd7D4axoGIYpy26DV1f+5WFV6yogegzH7Z2TP/zc9/ATOctSW9RLD9VBHpk1MawIDAQAB
o4IBkDCCAYwwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBLAwDgYDVR0PAQH/BAQD
AgXgMHgGCWCGSAGG+EIBDQRrFmlDZXJ0aWZpY2F0IENOUlMtU3RhbmRhcmQuIFBvdXIgdG91
dGUgaW5mb3JtYXRpb24gc2UgcmVwb3J0ZXIg4CBodHRwOi8vaWdjLnNlcnZpY2VzLmNucnMu
ZnIvQ05SUy1TdGFuZGFyZC8wHQYDVR0OBBYEFHuV0UmWU13s1WE1Vedp53drFMYoMFMGA1Ud
IwRMMEqAFGdZpeUHdEkD7wXPzC6kGNUQyJ48oS+kLTArMQswCQYDVQQGEwJGUjENMAsGA1UE
ChMEQ05SUzENMAsGA1UEAxMEQ05SU4IBAjAjBgNVHREEHDAagRhyZW1pLmZlcnJhbmRAY2Mu
aW4ycDMuZnIwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NybHMuc2VydmljZXMuY25ycy5m
ci9DTlJTLVN0YW5kYXJkL2dldGRlci5jcmwwDQYJKoZIhvcNAQEFBQADggEBACdZ1ociRxMY
oWWBFZmDMT5Aa5rLvuSzKax8bb3WXqWOmk8D5LlSO17F3mkR5TekcDFSJ8/jXeFG4Q+toHxR
AyV3L3LCL6cUd29L0zJNj2E1QcRIzuuug/GCWszQP+VsatGn1TT/1najETgbAdolWdCByX9A
tRL0lo7G5Kz7TB31e08ZPus9k7fOPhClIAKxY4m6kxf2O73pkHu7kXbbgWjxFkF3rEq4qcYq
XsC9F2pUkCxKiKBI727aknODrvW0keb57kZldafCD/kBYcp32Vm68TBhzq844stfc1LPZXCc
XWW8PiToRxlgyopZ1e5bCzsVEdLiofRa8F9muSmjK+gwggSxMIIDmaADAgECAgMAlx4wDQYJ
KoZIhvcNAQEFBQAwNDELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENOUlMxFjAUBgNVBAMTDUNO
UlMtU3RhbmRhcmQwHhcNMDkwMjA2MDgxMDUxWhcNMTEwMjA2MDgxMDUxWjBuMQswCQYDVQQG
EwJGUjENMAsGA1UEChMEQ05SUzEQMA4GA1UECxMHVVNSNjQwMjEVMBMGA1UEAxMMUmVtaSBG
ZXJyYW5kMScwJQYJKoZIhvcNAQkBFhhyZW1pLmZlcnJhbmRAY2MuaW4ycDMuZnIwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEG4N/kIafVXSfaepBCdU7ak98dDcTntruMc2Z
k1gPdo4X1ZUmNfBB8+lvBwSbXS8/8xRF79COU3wiZxEIY1fJsCxDINXzf0cW69QI33ZCO70H
YihDH+RSWa7sa1yfO3ZpNVuN7Fkd0aSK/kaRax6pM4FeYNF8I5IOKjBRfxh5KoSz6zQzRSu9
rmMuHIYhBFQEa+ntTTPTC6BfNQG58lL2LZ87g6/BkGrIKKA4F8N9j/XwnHeFolp0pp4bbekA
mR4Y8yK3sv+Ax9YhVhDyRBoXp113sPhrGgYhinLboNXV/7lYVXrKiB6DMftnZM//Nz38BM5y
1Jb1EsP1UEemTUxrAgMBAAGjggGQMIIBjDAMBgNVHRMBAf8EAjAAMBEGCWCGSAGG+EIBAQQE
AwIEsDAOBgNVHQ8BAf8EBAMCBeAweAYJYIZIAYb4QgENBGsWaUNlcnRpZmljYXQgQ05SUy1T
dGFuZGFyZC4gUG91ciB0b3V0ZSBpbmZvcm1hdGlvbiBzZSByZXBvcnRlciDgIGh0dHA6Ly9p
Z2Muc2VydmljZXMuY25ycy5mci9DTlJTLVN0YW5kYXJkLzAdBgNVHQ4EFgQUe5XRSZZTXezV
YTVV52nnd2sUxigwUwYDVR0jBEwwSoAUZ1ml5Qd0SQPvBc/MLqQY1RDInjyhL6QtMCsxCzAJ
BgNVBAYTAkZSMQ0wCwYDVQQKEwRDTlJTMQ0wCwYDVQQDEwRDTlJTggECMCMGA1UdEQQcMBqB
GHJlbWkuZmVycmFuZEBjYy5pbjJwMy5mcjBGBgNVHR8EPzA9MDugOaA3hjVodHRwOi8vY3Js
cy5zZXJ2aWNlcy5jbnJzLmZyL0NOUlMtU3RhbmRhcmQvZ2V0ZGVyLmNybDANBgkqhkiG9w0B
AQUFAAOCAQEAJ1nWhyJHExihZYEVmYMxPkBrmsu+5LMprHxtvdZepY6aTwPkuVI7XsXeaRHl
N6RwMVInz+Nd4UbhD62gfFEDJXcvcsIvpxR3b0vTMk2PYTVBxEjO666D8YJazNA/5Wxq0afV
NP/WdqMROBsB2iVZ0IHJf0C1EvSWjsbkrPtMHfV7Txk+6z2Tt84+EKUgArFjibqTF/Y7vemQ
e7uRdtuBaPEWQXesSripxipewL0XalSQLEqIoEjvbtqSc4Ou9bSR5vnuRmV1p8IP+QFhynfZ
WbrxMGHOrzjiy19zUs9lcJxdZbw+JOhHGWDKilnV7lsLOxUR0uKh9FrwX2a5KaMr6DGCAr4w
ggK6AgEBMDswNDELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENOUlMxFjAUBgNVBAMTDUNOUlMt
U3RhbmRhcmQCAwCXHjAJBgUrDgMCGgUAoIIBWDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB
MBwGCSqGSIb3DQEJBTEPFw0wOTA5MjkwODMxMTZaMCMGCSqGSIb3DQEJBDEWBBTOhTvVWyjB
JqmDIxZtQte3Z9hIqTBKBgkrBgEEAYI3EAQxPTA7MDQxCzAJBgNVBAYTAkZSMQ0wCwYDVQQK
EwRDTlJTMRYwFAYDVQQDEw1DTlJTLVN0YW5kYXJkAgMAlx4wTAYLKoZIhvcNAQkQAgsxPaA7
MDQxCzAJBgNVBAYTAkZSMQ0wCwYDVQQKEwRDTlJTMRYwFAYDVQQDEw1DTlJTLVN0YW5kYXJk
AgMAlx4wXwYJKoZIhvcNAQkPMVIwUDALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZI
hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMA0GCSqG
SIb3DQEBAQUABIIBAJdiVZ0WjY41wZ1BRLNRfmcCcGEnckgKNmbpMZTgzKZhR9P0pfgD0SUN
DXNGZObPzFR320f9j8/DRbNyKXdmRW7hwIJdO1GgwU5NDadIxGgFwIX004tSXsCOKsokVhxp
AX7bkLtuSpksyGF02jwm3K8EessTsRMf92ChxEKYz+/D5DuNi85bDJhEItIJOIS1nCABO58w
CJG6arRziByAg4yzagZmZMSOGFv3DN7qLyKc5MdA97VdWDvgGR4hEQdp0IgREnj2Pr7MpstW
ov6i6sUVJCYisqjCQEZZNU8dmkh0/6Q6TtRSaa2+AmYkMpoUxl7rpGEQQiW2Y9T0xjKDM8cA
AAAAAAA=
--------------ms070505070005070403000105--
--===============0491793905==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0491793905==--
