[OpenAFS] token theft under XP
Rodney M Dyer
rmdyer@uncc.edu
Thu, 12 Dec 2002 12:25:26 -0500
At 12:35 PM 12/11/2002 -0600, Charles Clancy wrote:
>Scenario:
>1. domain user 'x' logs in, gets tokens
>2. 'x' logs out
>3. local machine administrator goes in and creates local user 'x'
>4. log in as local user 'x'
>5. local user has access to the token and drive mappings obtained by the
> domain user
Umm, have you tried this? When you logout of Windows, the AFS client
service destroys your token. This is the reason that Transarc included a
"LogoffTokenTransferTimeout" registry option. For people using roaming
profiles, storing their profiles in AFS space, Windows could not store
their profile back to AFS when they logged out because of the token being
destroyed too early. The "LogoffTokenTransferTimeout" option specifies to
the AFS service to hold on to the token for a few seconds until the profile
is saved. The last time I checked, the OpenAFS Windows client didn't have
this option. This is most likely because the OpenAFS project started with
old Transarc code, not the latest that was available at the time.
Rodney
Rodney M. Dyer
x86 Systems Programmer
College of Engineering Computing Services
University of North Carolina at Charlotte
Email rmdyer@uncc.edu
Phone (704)687-3518
Help Desk Line (704)687-3150
FAX (704)687-2352
Office 267 Smith Building
>The seriousness of this could easily be argued away, but perhaps it could
>be solved by associating tokens with one's fully qualified username (i.e.
>DOMAIN\username or COMPUTER\username).
>
>Just a thought.
>
>[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]
>
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info