3.0.2 AFS login problem, Solaris 2.5.1

Booker C. Bense bbense at networking.stanford.edu
Tue Jan 8 06:39:31 EST 2002


On Fri, 4 Jan 2002, Peter Scott wrote:

> > >
> > > Why doesn't 3.0.2 call ka_UserAuthenticateGeneral?
> >
> >- Because it's insecure?
>
> Thanks for this information.  I've read the thread and URL you
> provided.  If you don't mind what may be a stupid question - does this
> imply that the stock AFS login - or at least the Transarc one we are using
> - is insecure?  Because all it has to go on is a username and password, and
> we already know that the kaservers don't have a srvtab for the client
> machine.  If it isn't insecure, what makes it secure?  I looked in OpenAFS
> source and if I'm looking at the right place, the login does call
> ka_UserAuthenticateGeneral... and without a srvtab for the client how can
> that be good enough?

- I would need to read the code to be sure of exactly what is going
on. I'll poke around in OpenAFS and see if I can make some sense
of what ka_UserAuthenticateGeneral actually does.

- From what I can see it just gets a tgt and does nothing with
it. IMHO, this is not "good enough". I don't have time at the moment
to read the entire login code, but if ka_UserAuthenticateGeneral is
all it's using, then there is a security risk in using this code.

- Booker C. Bense






More information about the openssh-unix-dev mailing list