[OpenAFS] Integrated Logon automatically starts

Jeffrey Altman jaltman@columbia.edu
Sun, 25 Apr 2004 16:54:25 -0400


This is a cryptographically signed message in MIME format.

--------------ms050109060305070807060508
Content-Type: multipart/alternative;
 boundary="------------030202040108080708090808"

This is a multi-part message in MIME format.
--------------030202040108080708090808
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Matthew Cocker wrote:

> Jeffrey Altman wrote:
>
>> I will not support the 1.2 clients.  As far as I am concerned they 
>> are dead.
>> If there is something wrong with 1.3.63 or later I will fix it.
>> If your University is supporting 1.2.10 I suggest you speak with them 
>> about your issues.
>>
>> Jeffrey Altman
>>
>
> Fair enough. I have been using the 1.3 clients for a while now and 
> they work much better but what about the problems with 1.3 clients in 
> multi-user (i.e. TS) environments (see below). The 1.2.11 client does 
> not have the same issue does it? Will a 1.3 client that works in TS 
> environment be developed?
>
> http://www.openafs.org/release/openafs-1.3.63.html
>
> (2) tokens are assigned to the service on a system global basis. 
> Therefore,
> all users and processes on the machine are able to access files with the
> list of available tokens.  This is dangerous if anonymous logins are 
> enabled;
> or if multiple users are on the machine (ie, Terminal Server or XP user
> switching)
>
> Cheers
>
> Matt


The same problem exists in the 1.2 client.   The mechanism used to
store tokens from integrated logon works for the initial storage
of the initial token but fails if aklog.exe, klog.exe or afscreds.exe
must be used later on to obtain additional tokens.

In addition, there is leakage under some circumstances.
These problems are not unique to the 1.3.6x clients.
It is my intention to fix this but I need to find the time and
that means finding money.

Jeffrey Altman


--------------030202040108080708090808
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Bitstream Cyberbit">Matthew Cocker wrote:<br>
</font>
<blockquote cite="mid408C2385.9060909@cs.auckland.ac.nz" type="cite"><font
 face="Bitstream Cyberbit">Jeffrey Altman wrote:
  <br>
  <br>
  </font>
  <blockquote type="cite"><font face="Bitstream Cyberbit">I will not
support the 1.2 clients.&nbsp; As far as I am concerned they are dead.
    <br>
If there is something wrong with 1.3.63 or later I will fix it.
    <br>
If your University is supporting 1.2.10 I suggest you speak with them
about your issues.
    <br>
    <br>
Jeffrey Altman
    <br>
    <br>
    </font>
  </blockquote>
  <font face="Bitstream Cyberbit"><br>
Fair enough. I have been using the 1.3 clients for a while now and they
work much better but what about the problems with 1.3 clients in
multi-user (i.e. TS) environments (see below). The 1.2.11 client does
not have the same issue does it? Will a 1.3 client that works in TS
environment be developed?
  <br>
  <br>
<a class="moz-txt-link-freetext" href="http://www.openafs.org/release/openafs-1.3.63.html">http://www.openafs.org/release/openafs-1.3.63.html</a>
  <br>
  <br>
(2) tokens are assigned to the service on a system global basis.
Therefore,
  <br>
all users and processes on the machine are able to access files with
the
  <br>
list of available tokens.&nbsp; This is dangerous if anonymous logins are
enabled;
  <br>
or if multiple users are on the machine (ie, Terminal Server or XP user
  <br>
switching)
  <br>
  <br>
Cheers
  <br>
  <br>
Matt
  <br>
  </font></blockquote>
<br>
The same problem exists in the 1.2 client.&nbsp;&nbsp; The mechanism used to <br>
store tokens from integrated logon works for the initial storage<br>
of the initial token but fails if aklog.exe, klog.exe or afscreds.exe<br>
must be used later on to obtain additional tokens.<br>
<br>
In addition, there is leakage under some circumstances.<br>
These problems are not unique to the 1.3.6x clients.<br>
It is my intention to fix this but I need to find the time and <br>
that means finding money.<br>
<br>
Jeffrey Altman<br>
<br>
</body>
</html>

--------------030202040108080708090808--

--------------ms050109060305070807060508
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJOzCC
AvgwggJhoAMCAQICAwwjmjANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNDE2MDIxODM0WhcNMDUwNDE2MDIxODM0
WjBGMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSMwIQYJKoZIhvcNAQkBFhRq
YWx0bWFuQGNvbHVtYmlhLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKyS
7eWrak81hbARkTT+lqX+uujXLK3tDmCn/6IQH9tDKYtf5A8/llZJdPYHUA9p1FH9hwk23iGY
scSkJq84FJenlWKOOqOsT6BlueWsrlKuseJCdMf9uhN28p+UnZvrcVhcLLTYfRvQT9OUw/k3
h4TzNdyAXbBJ3LnL1ySbFRaNVkq7cW/2ircAWpcyqHH4ZKstdSLbo6axsDHWRZL8yHUsI1Gz
esRSYQf2aUeUqvmGbEKEKFwbfqgfLwlBLiv1Lqib/++J3s5g3syhqWe3T8tUffmhdibUdX2W
umT2uiWl/WGEBvc1+o5k0T2JqWMNR9VgzPyk8P+iZRHl76Yb49ECAwEAAaNUMFIwDgYDVR0P
AQH/BAQDAgP4MBEGCWCGSAGG+EIBAQQEAwIFoDAfBgNVHREEGDAWgRRqYWx0bWFuQGNvbHVt
YmlhLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAGXYUcZvaLEqctXUsgt0
fUMFXukM3E5fpLBkk3+BbcY457WQE38ZM1AOvcYOHqB1xhJCxP1U0pSJu2Xfe9Z1M2mU4C4V
2w4sDcWkZteM9EW7VYbXzSCKCw0TKKp3Wl9TFIWFdiFwPvhOzhXUonGTdYbOvRuAXQuJdNQW
O4v2sQg1MIIC+DCCAmGgAwIBAgIDDCOaMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpB
MSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3
dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNDA0MTYwMjE4MzRaFw0wNTA0
MTYwMjE4MzRaMEYxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxIzAhBgkqhkiG
9w0BCQEWFGphbHRtYW5AY29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEArJLt5atqTzWFsBGRNP6Wpf666Ncsre0OYKf/ohAf20Mpi1/kDz+WVkl09gdQD2nU
Uf2HCTbeIZixxKQmrzgUl6eVYo46o6xPoGW55ayuUq6x4kJ0x/26E3byn5Sdm+txWFwstNh9
G9BP05TD+TeHhPM13IBdsEncucvXJJsVFo1WSrtxb/aKtwBalzKocfhkqy11ItujprGwMdZF
kvzIdSwjUbN6xFJhB/ZpR5Sq+YZsQoQoXBt+qB8vCUEuK/UuqJv/74nezmDezKGpZ7dPy1R9
+aF2JtR1fZa6ZPa6JaX9YYQG9zX6jmTRPYmpYw1H1WDM/KTw/6JlEeXvphvj0QIDAQABo1Qw
UjAOBgNVHQ8BAf8EBAMCA/gwEQYJYIZIAYb4QgEBBAQDAgWgMB8GA1UdEQQYMBaBFGphbHRt
YW5AY29sdW1iaWEuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAZdhRxm9o
sSpy1dSyC3R9QwVe6QzcTl+ksGSTf4FtxjjntZATfxkzUA69xg4eoHXGEkLE/VTSlIm7Zd97
1nUzaZTgLhXbDiwNxaRm14z0RbtVhtfNIIoLDRMoqndaX1MUhYV2IXA++E7OFdSicZN1hs69
G4BdC4l01BY7i/axCDUwggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYD
VQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAY
BgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZp
Y2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzAp
BgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAw
MDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENv
bnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWls
IElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5o
wHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuv
PAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAe
ZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0
hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDAL
BgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4
MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6ot
nzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V
2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDOzCCAzcCAQEwaTBi
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEs
MCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwwjmjAJBgUr
DgMCGgUAoIIBpzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w
NDA0MjUyMDU0MjVaMCMGCSqGSIb3DQEJBDEWBBTrtjtNLrI0fYG9wgBwFUDVGQIXvTBSBgkq
hkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIB
QDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDB4BgkrBgEEAYI3EAQxazBpMGIxCzAJBgNVBAYT
AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDCOaMHoGCyqGSIb3DQEJEAIL
MWugaTBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwwj
mjANBgkqhkiG9w0BAQEFAASCAQBKTtS3R2hR4VpmC1lUa/8dh00UJSkOky0zZa2v/Q7e1INF
6eedc+ZaMM06Pzkyto/nNbDttVuUSQ5cpcxrZnZnnIm9l6dGsKt9QIGNrPxgOEGTOzcJTZHz
mByib68yjGgnYYETwbxOemhzem1kGBzv0BKWb3ON/c474aEPHYilaeX1WVGpknSZvzGtYosz
aq8uWABCMsWxF/VMOKONAYUsMqRVqCZecLIEqG2DJ/hyQxYmI5S0LLoKtF8ZHPRTKBMd0HqX
rQE5m4ISbz1GYowec/f2K2eFpy1l0boJ6zMMC2zXlX2u71ceF7f8CAw8GhEpRWpxSLaZJQPc
65Vj+QmOAAAAAAAA
--------------ms050109060305070807060508--