At Decorum, I spoke to a number of people who where interested in the ability to modify Kerberos V5 tickets. Von Welch at NCSA has developed a krb525 package which is similiar in concept to the MIT krb524. The krb52* cliient sends a ticket to the krb52*d which can modify the infornation in the ticket, including the encrypted parts, and return a new ticket. The krb52*d can do this since it has the keys for the services which need to be changed. krb52*d is usually run on the same machine as the KDC or DCE security server. The ak5log used the krb524 to take a K5 ticket, convert it to a K4 ticket which could then be used as a AFS token. The krb525 takes a K5 ticket, changes it and returns a K5 ticket. Some possible uses: o Changing the principal name o Changing the case of a realm or cell o Increasing the lifetime of a ticket o Adding auth data to a ticket This can be found at: ftp://ftp.ncsa.uiuc.edu/aces/kerberos/krb525 -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
