[OpenAFS] token theft under XP (High security option)
Rodney M Dyer
rmdyer@uncc.edu
Fri, 13 Dec 2002 14:50:11 -0500
Furthermore...
It looks like your high security fix is a new "OpenAFS only" add-on. Where
is the official documentation for this? I didn't see the code that allows
the "LogoffTokenTransferTimeout" in the OpenAFS source. It looks to me
like Transarc/IBM released the source for AFS (an older version) and the
OpenAFS group fork'ed it. Then, features have been added that almost no
one knows anything about. Am I wrong?
Rodney
At 09:49 AM 12/13/2002 -0800, James Peterson wrote:
>Token theft is an issue with windows, not necessary with just XP.
>
>Basically there was no solution to destroy tokens when the user logs out so
>the token is left around for the next user who logs on to grab (if they know
>the previous username).
>
>I suggest you use the "High security" option. We designed this option to
>make it difficult to grab 'left over tokens' by creating an internal secret
>user name. Using the High Security option will make it next to impossible to
>steal your tokens.
>
>If you use Regedit, change the Logon Options parameter to 2 or 3 and reboot.
>
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemond\Netw
>orkProvider
> LogonOptions = 1 - Integrated Logon
> LogonOptions = 2 - High Security options, Random User name generation
> LogonOptions = 3 - both
>
>James Peterson
>"Integrity is the Base of Excellence"
>
>P.S.
>If someone could direct me to a system 'call back' or process that is
>invoked when a user logs out then I would gladly fix that problem.
>
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info