[OpenAFS] token theft under XP (High security option)

Rodney M Dyer rmdyer@uncc.edu
Fri, 13 Dec 2002 14:50:11 -0500


Furthermore...

It looks like your high security fix is a new "OpenAFS only" add-on.  Where 
is the official documentation for this?  I didn't see the code that allows 
the "LogoffTokenTransferTimeout" in the OpenAFS source.  It looks to me 
like Transarc/IBM released the source for AFS (an older version) and the 
OpenAFS group fork'ed it.  Then, features have been added that almost no 
one knows anything about.  Am I wrong?

Rodney


At 09:49 AM 12/13/2002 -0800, James Peterson wrote:
>Token theft is an issue with windows, not necessary with just XP.
>
>Basically there was no solution to destroy tokens when the user logs out so
>the token is left around for the next user who logs on to grab (if they know
>the previous username).
>
>I suggest you use the "High security" option.  We designed this option to
>make it difficult to grab 'left over tokens' by creating an internal secret
>user name. Using the High Security option will make it next to impossible to
>steal your tokens.
>
>If you use Regedit, change the Logon Options parameter to 2 or 3 and reboot.
>
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemond\Netw
>orkProvider
>      LogonOptions = 1 - Integrated Logon
>      LogonOptions = 2 - High Security options, Random User name generation
>      LogonOptions = 3 - both
>
>James Peterson
>"Integrity is the Base of Excellence"
>
>P.S.
>If someone could direct me to a system 'call back' or process that is
>invoked when a user logs out then I would gladly fix that problem.
>
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info