[OpenAFS-port-darwin] os x: destroying kerb tickets also destroys tokens
Alexei Kosut
akosut@cs.stanford.edu
Tue, 28 Jan 2003 08:42:47 -0600
On Monday, January 27, 2003, at 10:07 PM, Aaron Rosenblum wrote:
> I noticed that if I set the LoginWindow to get tickets on login
> (authnoverify method) I will also get an afs token upon login. However,
> if I logout using the menu item in the apple menu and then ssh back in
> and use the "tokens" command, I appear to still have my tokens (they
> are not unlogged when I log out). If explicitly destroy the kerb
> tickets using kdestroy or the GUI app, the tokens die too. Is it
> supposed to destroy the tokens on logout from the machine, or just
> "Destroy Tickets"?
The kfm_aklog plugin will destroy the AFS token whenever Kerberos for
Macintosh tells it there's been a logout. This happens when you click
"Destroy Tickets" or run kdestroy, but not at Mac OS X logout. I don't
think there's never an explicit destruction of Kerberos credentials at
that time, but since the security context goes away, the tickets do
too. The AFS tokens remain -- if we could use PAGs, it wouldn't be an
issue here, either, but we can't.
Here at Stanford, we solve this by having our GUI Kerberos tool detect
Mac OS X logout and explicitly destroy the credentials cache and AFS
tokens (unless AFS home directories are being used).
--
Alexei Kosut <akosut@cs.stanford.edu> <http://cs.stanford.edu/~akosut/>
Hire me: <http://rescomp.stanford.edu/~akosut/resume/>