[OpenAFS-port-darwin] Re: port-darwin digest, Vol 1 #81 - 1 msg

Ragnar Sundblad ragge@nada.kth.se
Wed, 09 Jul 2003 20:53:11 +0200 

--On den 9 juli 2003 13:50 -0400 Joseph Jackson <jackson@CMU.EDU> wrote:

> For our student computing labs, we've actually removed the UI elements
> that allow users to enable password checking in the screensaver panel of
> System Preferences. (We opened up the .nib file in Interface Builder,
> selected the checkbox and password field and pressed delete.) It's crude,
> but effective.

So did we.

We also have a screen saver/locker app that renews the tickets
at unlock. It currently has to be launched manually, but this
is fine for most uses, and we don't want to put more work on
this as apple will probably fix it in panther.

In addition, we have our background ticker renewer app that
uses reneable ticket granting tickets to get new tickets and
tokens.

They are using heimdal, though, as the MIT/apple kerberos currently
doesn't support renewable tickets (at least last time I checked,
it crashed when you set it to get renewable tickets).

So, our setup is this at the moment:
At login time we use standard loginwindow kerberos auth, and
my afslog plugin to get tokens (we can't use the stanford
plugin since it won't work with Arla, my plugin is built
with the MIT krbafs lib and hopefully works with both, not
tested though).

At login time we also run an app that copies the MIT ticket
cache to the heimdal cache so that we can have both.
The sad part is that this tgt isn't renewable, because of
the bug mentioned above.

When the renewer app, which currently only looks in the
heimdal+kthkrb caches and the afs token cache discovers that
a ticket has past half its lifetime it renews the ticket,
tgts are renewed and service tickets are just checked up new.
When the renewer app discovers that half the renewable time
(typically two weeks) of the tgt has past, it asks the
user for his/her password and buys a new renewable tgt.

When the user unlocks the screen, he/she buys a new two week
renewable tgt.

If the user uses the lock screen thing frequently, he/she should
never have to enter the password.

Again, to make this work we currently have to use heimdal
as the main ticket cache. We hope to be able to switch to
just using MIT/apple kerberos soon, at least with panther.

/ragge

-----
Ragnar Sundblad
Department of Numerical Analysis and Computer Science
Royal Institute of Technology
Stockholm, Sweden