[OpenAFS] OpenAFS 1.7.3/Heimdal 1.5.1 64-bit Auto-login oddity

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 16 Dec 2011 10:18:34 -0500


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig05533AFF753155CFE29083A5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 12/16/2011 9:56 AM, Billy Beaudoin wrote:
> And that same bug got included in the Heimdal credential cache? Or is
> it literally the same CC from KfW?
>=20
> Billy Beaudoin
> ITECS Systems
> NC State University

The bug has nothing to do with the credential cache.  The bug is in the
kfwlogon.dll network provider and associated tools which is a very ugly
bit of code.

The kfwlogon.dll network provider is not included in the Heimdal
distribution.

Here is the problem.  The network provider executes within a different
logon session and with different user credentials than the end user
desktop shell and its child processes.  The API: credential cache server
(krbcc32s.exe or krbcc64s.exe) authenticates the incoming requests to
ensure that tickets stored in one logon session cannot be accessed by
another logon session.  Each logon session gets its own instance of the
credential cache server.

Therefore, it is not possible to create an API: credential cache from
the network provider to store the credentials into such that they can be
accessed by the applications in the user's eventual logon session.  What
kfwlogon.dll does is write the credentials to a FILE: cache and then
another bit of code that is executed by the Explorer Shell logon handler
copies the FILE: cache contents into an API: cache.

With OpenAFS 1.7 and the native IFS driver we now have Authentication
Group support on Windows.  My plan is to implement a new credential
cache built on top of Authentication Groups.  The Authentication Group
for the logon session is created by the OpenAFS Network Provider
(afslogon.dll) and the AFS token obtained at logon is stored within it.

The authentication group approach is much cleaner and much more secure.
  The project is unfunded as is much of the development of the OpenAFS
Windows client and Heimal.  My priorities at the moment are fixing the
bugs in the OpenAFS Windows client and then I will return to working on
Heimdal.

Jeffrey Altman


--------------enig05533AFF753155CFE29083A5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJO62FMAAoJENxm1CNJffh4WfQH/1g0d6VhegzF+Nb9UJ13RqoE
1c5wFVh78rCiushbd6UxFQM1Eq8yKp2wXIIj0Tb73aWZJa/d58UH/ln6J8MjuY2+
qMgClYE1AOhlLGjzqwnlJEjHiD6C9uLxWef5hFpi/4pmcHxuH9crpk+QCpUOwXw6
8iuQx+hYlwz5EDV7hYXaXoHinz9mXD+Pp3PG/1FBuMstF3NZjvOdW3mPZ1F0jFiJ
OxNCkqygfzediP582Shznlz5QlmUkjqi855brn8gVbbEyG2g0wZkRMA/aD9F9030
3ZGyh65JzcwQGVXDebwHXw39utumj4Nt48PaiIIPdtu5OVBpgyRytTKLXvlEwmI=
=7P0+
-----END PGP SIGNATURE-----

--------------enig05533AFF753155CFE29083A5--