[OpenAFS-port-darwin] os x: destroying kerb tickets also destroys tokens

Alexei Kosut akosut@cs.stanford.edu
Tue, 28 Jan 2003 08:42:47 -0600


On Monday, January 27, 2003, at 10:07  PM, Aaron Rosenblum wrote:
> I noticed that if I set the LoginWindow to get tickets on login
> (authnoverify method) I will also get an afs token upon login. However,
> if I logout using the menu item in the apple menu and then ssh back in
> and use the "tokens" command, I appear to still have my tokens (they
> are not unlogged when I log out).  If explicitly destroy the kerb
> tickets using kdestroy or the GUI app, the tokens die too.  Is it
> supposed to destroy the tokens on logout from the machine, or just
> "Destroy Tickets"?

The kfm_aklog plugin will destroy the AFS token whenever Kerberos for 
Macintosh tells it there's been a logout.  This happens when you click 
"Destroy Tickets" or run kdestroy, but not at Mac OS X logout.  I don't 
think there's never an explicit destruction of Kerberos credentials at 
that time, but since the security context goes away, the tickets do 
too. The AFS tokens remain -- if we could use PAGs, it wouldn't be an 
issue here, either, but we can't.

Here at Stanford, we solve this by having our GUI Kerberos tool detect 
Mac OS X logout and explicitly destroy the credentials cache and AFS 
tokens (unless AFS home directories are being used).

-- 
Alexei Kosut <akosut@cs.stanford.edu> <http://cs.stanford.edu/~akosut/>
Hire me: <http://rescomp.stanford.edu/~akosut/resume/>