[GE users] reserved ports in SGE 6.0

Sean Dilda agrajag at dragaera.net
Wed Nov 24 14:33:17 GMT 2004


On Wed, 2004-11-24 at 04:04, Andy Schwierskott wrote:

> Yes, but on a AFS machine (machine wiht AFS mounted filesystems), even if
> someone breaks the root account he still cannot access the home directories
> of AFS users and thus could not submit jobs on behalf of these users since
> the keys stored o nthe home directories are not accessible.
> 
> AFS users -> can you confirm?
> 

After talking to one of the AFS experts here, I realized that I was
partially wrong with my initial comment.

In every production AFS setup I've seen, it is setup to that when you
login, a kerberos ticket file and credential cache is created in /tmp,
with permissions set so that only the user can access them.  Environment
variables are then set to point to those files so that any programs you
run will be able to read those environment variables and get access to
kerberos tickets.  So, if you have this setup, and someone is logged
into a box and someone else has a root shell on that box, its a simple
matter for them to get access to your kerberos tickets, then get afs
tokens for you from your kerberos tickets.

However, not all AFS setups have to be that way.  AFS stores your tokens
in the kernel, so in theory its possible to login and get afs tokens
without your kerberos tickets being written to disk.  However, I've
never seen a production setup like that, and neither has the co-worker
I've talked to about this.

I was also wrong about the encryption.  Apparently if you have a new
enough version of OpenAFS (not transarc AFS) on your client AND server,
then you can enable encryption over the wire.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe at gridengine.sunsource.net
For additional commands, e-mail: users-help at gridengine.sunsource.net




More information about the gridengine-users mailing list