[OpenAFS-port-darwin] os x: destroying kerb tickets also destroys tokens
Alexei Kosut
akosut@cs.stanford.edu
Mon, 27 Jan 2003 15:28:17 -0600
On Monday, January 27, 2003, at 03:20 PM, David Botsch wrote:
> Using OS X.2.2, MIT Kerberos 4.5.1, and the aklog kerberos plugin.
>
> If I bring up the kerberos control panel and destroy the kerberos v4
> tickets, the afs tokens are also being destroyed. For obvious reasons,
> this is not good.
Assuming the aklog Kerberos plugin you're using is mine, that's the
expected behavior. If you don't want it, open up kfm_aklog.c and
remove the unlog() call from KerberosLoginNotification_Logout().
Personally, I think it's the right behavior, at least most of the time
(here at Stanford, it's the default, but we have an option in our GUI
to turn it off). When AFS tokens are obtained automatically as a side
effect of clicking "Get Tickets...", a user who isn't aware of this
certainly won't know that they need to do something else besides
clicking "Destroy Tickets" to safely leave the computer.
--
Alexei Kosut <akosut@cs.stanford.edu> <http://cs.stanford.edu/~akosut/>