[OpenAFS] Authentication problems with 1.0.4
Tue, 15 May 2001 11:08:38 -0700
I am currently working on a patch that is supposed to correct the
association of session ID with tokens. It seems that W2k creates sessions
much more liberally than NT or 9x. I am requesting thoughts about this
Most relevant seems to be the discussion about security issues of
associating the sessions ID with tokens. The only mechanism I can see is
looking through the Virtual connections trying to match UserName,
MachineName and Password with a token list. Some view this approach as a
security violation because it requires having local storage of 3 impt.
fields. However, I believe that associating only UserName or even
UserName & MachineName with the Virtual connection is not enough because a
remote host could "mimic" MachineName and UserName and use someone's else's
tokens to access their files.
The question I pose is information about windows protection on duplicate
MachineName/UserName on the net and therefore making it unnecessary to
store Password a Virtue Circuit structure.
I also question what is the security risk of having these 3 fields in the
Virtual Circuit structure.
Basically I/We are looking for a way to assocaite a new session (which
seems to be generated with each new DOS prompt on W2k) with
"Integrity is the base of excellence."