Patch to obtain AFS tokens..

Robertson, Jason V jason.v.robertson at intel.com
Wed Jul 18 18:56:55 GMT 2001 

Hi,

I've written a patch to samba and a Win32 GUI client to allow clients to
obtain AFS tokens at multiple cells securely, list tokens, and unlog tokens.
We have a security mandate about plaintext passwords on the network and I
couldn't think of another way to do it so this is the result.

It's been in use for a while and seems fairly stable, useful, so I'm
releasing it back in case anyone else finds it useful.

Some caveats:
1. I've never developed in RPC and it doesn't interest me much so I only
learned enough to get it working.  Don't laugh at my code :)
2. I've never really used OpenSSL
3. I've never developed samba code.

So it may not be real pretty, but it works for us here.

One question - where do I upload it?  It's too big to send in this mail.
README file is below.

Thanks,
Jason

-- README --

Copyright 2001 Intel Corporation

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307
USA


Samba Afstoken patch
Author: Jason Robertson <jason.v.robertson at intel.com>
-----------------------------------------------------

This patch, and associated Win32 binary client were written to allow secure
authentication to AFS from a samba client.  It consists of two components.

The first is a server-side rpc service running under samba that provides a
simple API for listing, obtaining, and unlogging AFS tokens.  It also uses
OpenSSL to create a public-private keypair for encryption over RPC so that
AFS passwords aren't sent in the clear (a security requirement for some
sites).

The second component is a sample GUI client that uses the RPC mechanism to
get,
unlog, and list tokens.  This involves getting the server's public key, and
encrypting the AFS password with a session key.  Trust issues are neglected
in this situation - we assume the server is really the server and not an
imposter.  It would be exceedingly simple to make a command line klog util -
see sambarpc.cpp.  The default client is: smbklog.exe in this directory.

This patch was done with AFS 3.6 from Transarc, and it should at least work
with AFS 3.5.  Newer OpenAFS versions should probably work.  It has only
been ported to Linux and Solaris 2.6+.  Other ports should be easy, the only
problem is AFS include files, typically.

Notes:
1. Your token goes away when your smbd process goes away (deadtime setting).
   * There is a technical solution to this, though it would be difficult and
     messy.  You have the same limitation with normal WITH_AFS support.  The
     solution would involve saving the tokens in binary format, and
     reasserting them when samba starts.  We don't need this, so I didn't
     implement it.
2. You can see some debug info in the logfiles about key generation, and
other
   debug info.  Run smbd with "-d 3" option.
3. The client is in this directory, smbklog.exe
4. I used openssl-0.9.6 to compile - you will need to tweak samba Makefile
for
   path.  Patch for Solaris is in this directory - you may need to apply it
to
   OpenSSL to get the patch to work correctly.
5. This is intended for use with domain authentication.  If you use
unencrypted
   passwords your pagsh will be overwritten.  So normal AFS passwords won't
   work anymore (i.e. cleartext passwords).

Then configure and compile as normal (use --with-afs).  Also, make sure
Openssl
includes/library paths are correct in Makefile.  Solaris requires the
Openssl
patch file in this dir.

Then you can use the client - that should be it.

Server Configuration
--------------------

There is an smb.conf option:
afstoken service keybits = <256|512|768|1024|2048>

This is the size of the RSA key generated.  I'd recommend 256 or 512 unless
you're paranoid.

If you have questions, comments, or patches please contact me at
jason.v.robertson at intel.com

More information about the samba-technical mailing list