[OpenAFS-port-darwin] os x: destroying kerb tickets also destroys tokens

[Aaron Rosenblum]

>

Hmm I'm not sure if I understand this either...

I noticed that if I set the LoginWindow to get tickets on login 
(authnoverify method) I will also get an afs token upon login. However, 
if I logout using the menu item in the apple menu and then ssh back in 
and use the "tokens" command, I appear to still have my tokens (they 
are not unlogged when I log out).  If explicitly destroy the kerb 
tickets using kdestroy or the GUI app, the tokens die too.  Is it 
supposed to destroy the tokens on logout from the machine, or just 
"Destroy Tickets"?

Aaron


> Assuming the aklog Kerberos plugin you're using is mine, that's the 
> expected behavior.  If you don't want it, open up kfm_aklog.c and 
> remove the unlog() call from KerberosLoginNotification_Logout().
>
> Personally, I think it's the right behavior, at least most of the time 
> (here at Stanford, it's the default, but we have an option in our GUI 
> to turn it off).  When AFS tokens are obtained automatically as a side 
> effect of clicking "Get Tickets...", a user who isn't aware of this 
> certainly won't know that they need to do something else besides 
> clicking "Destroy Tickets" to safely leave the computer.
>
> -- 
> Alexei Kosut <akosut@cs.stanford.edu> <http://cs.stanford.edu/~akosut/>
>
> _______________________________________________
> port-darwin mailing list
> port-darwin@openafs.org
> https://lists.openafs.org/mailman/listinfo/port-darwin