Category Archives: Security

Cross-realm AFS authentication allows users in one Kerberos realm (a Kerberos "realm" is an administrative domain such as ECE or Andrew) to manipulate files in another realm without having to authenticate separately in each one. AFS cells that support cross-realm authentication are:

• ece.cmu.edu
• cs.cmu.edu
• andrew.cmu.edu
• club.cc.cmu.edu
• dementia.org
• athena.mit.edu

Setting up cross-realm authentication

To set up cross-realm authentication, you need to run the aklog command, while authenticated to your local cell, giving it the name of the foreign AFS cell that you will be authenticating to. Then you will need to create an entry in the foreign cell's pts database. Previously, this happened automatically. For example, if you are on a host in the ece.cmu.edu cell and want to do cross-realm authentication with the andrew.cmu.edu cell, you should run:

   aklog andrew.cmu.edu

If you are on a host in the andrew.cmu.edu cell and want to do cross-realm authentication with ece.cmu.edu, you should run:

   aklog ece.cmu.edu

Running aklog
does two things:

• It provides cross-realm "tokens" that can be used to access files in the foreign cell.
• It checks to see that there is an entry for the these cross-realm tokens in the protection server (pts) database in the foreign cell. If such an entry doesn't already exist, one is created. The cross-realm entry will have the form userid@foreigncell.

After running aklog
, run the comand:

   pts createuser <username>@<localcell> -cell <foreigncell>

This creates an entry for you in a foreign cell's protection database. If you want to verify that an entry for your cross-realm tokens exists in the foreign cell's pts database, you can enter the following comand:

   pts examine <username>@<localcell> -cell <foreigncell>

To see a list of which Andrew or CS users have established cross-realm identities in the ece.cmu.edu cell, you can use the command:

   pts members system:authuser@{cs or andrew}.cmu.edu

To see a list of ECE users who have established cross-realm identities in the andrew or CS AFS cells, you can use the command:

   pts members system:authuser@ece.cmu.edu -cell {cs or andrew}.cmu.edu

Note that you will need to run aklog
to get cross-realm tokens before accessing files in the other cell. If you are frequently accessing files in another cell, you may wish to put:

   aklog <foreigncell>

in your .login
.

Adding a cross-realm ID to ACLs and groups

Once a cross-realm ID has been created, you can add it to AFS ACLs and groups the same way you would add a user in the local cell to ACLs and groups. For example, to add the Andrew username "hb0v" to an ACL:

   fs sa my_directory hb0v@andrew.cmu.edu rl

and to a group:

   pts adduser hb0v@andrew.cmu.edu bovik:colleagues

Security

By granting permission to access your files in the ece.cmu.edu cell to your username in another realm, you have created the possibility that somebody could break into your other account and access your ECE files (the same concept applies if the andrew.cmu.edu cell is where you keep most of your important files and you have granted cross-realm access to your ECE username). For this reason, it is suggested that you only add your other realm's username to directories when it is necessary to do so.