[OpenAFS-devel] [LKML] Re: In-kernel Authentication Tokens (PAGs)

[Ken Hornstein]

>I too have gotten bitten by this -- mail in my case, though our crummy
>solution was just to set up a second mail server which spread out the
>load enough for it to stop breaking (for now).  I'd also like to see a
>new pag system that lacks this "throttling/resource exhaustion"
>characteristic.

According to the comments in the source code, the concern isn't really
resource exhaustion, but the fact that an attacker could allocate enough
PAGs to wrap around the space and join an existing PAG (whether or not
you call that "resource exhaustion" is a matter of semantics, I guess).

I see a remarkably simple solution to these problems, though.  All
of the cases mentioned to date take place on "trusted" servers (ones
that likely don't permit general user login).  If you define
AFS_WEB_ENHANCEMENTS when building the Openafs client, the 1-second
throttling is disabled.  You shouldn't do this unless you understand
the security concerns, though.

(I suspect in more than a few cases, the people who are running into this
really don't need a new PAG and they're just being bit by
ka_UserAuthenticateGeneral(), but no doubt a number of these cases do
need a new PAG).

--Ken