[OpenAFS-port-darwin] os x: destroying kerb tickets also destroys tokens

Jonathan Z. Simon jzsimon@eng.umd.edu
Thu, 13 Mar 2003 18:07:04 -0500 

(sorry for the long delay in replying to this thread)

Since I *want* the AFS tokens to be destroyed as automatically as  
possible, could the AFS tokens be destroyed using the LogoutHook  
described at

http://developer.apple.com/techpubs/macosx/Essentials/SystemOverview/ 
BootingLogin/chapter_4_section_14.html#//apple_ref/doc/uid/20000981/ 
CJBBAIAB

?

There's also some semi-serious discussion of how to best use these  
hooks over at MacOSXHints:
http://www.macosxhints.com/article.php?story=20030116061349986

Jonathan

On Tuesday, January 28, 2003, at 09:42  AM, Alexei Kosut wrote:

> On Monday, January 27, 2003, at 10:07  PM, Aaron Rosenblum wrote:
>> I noticed that if I set the LoginWindow to get tickets on login
>> (authnoverify method) I will also get an afs token upon login.  
>> However,
>> if I logout using the menu item in the apple menu and then ssh back in
>> and use the "tokens" command, I appear to still have my tokens (they
>> are not unlogged when I log out).  If explicitly destroy the kerb
>> tickets using kdestroy or the GUI app, the tokens die too.  Is it
>> supposed to destroy the tokens on logout from the machine, or just
>> "Destroy Tickets"?
>
> The kfm_aklog plugin will destroy the AFS token whenever Kerberos for  
> Macintosh tells it there's been a logout.  This happens when you click  
> "Destroy Tickets" or run kdestroy, but not at Mac OS X logout.  I  
> don't think there's never an explicit destruction of Kerberos  
> credentials at that time, but since the security context goes away,  
> the tickets do too. The AFS tokens remain -- if we could use PAGs, it  
> wouldn't be an issue here, either, but we can't.
>
> Here at Stanford, we solve this by having our GUI Kerberos tool detect  
> Mac OS X logout and explicitly destroy the credentials cache and AFS  
> tokens (unless AFS home directories are being used).
>
> -- 
> Alexei Kosut <akosut@cs.stanford.edu> <http://cs.stanford.edu/~akosut/>
> Hire me: <http://rescomp.stanford.edu/~akosut/resume/>
>
> _______________________________________________
> port-darwin mailing list
> port-darwin@openafs.org
> https://lists.openafs.org/mailman/listinfo/port-darwin
>
>
--
Jonathan Z. Simon
Dept. of Electrical & Computer Engineering / Dept. of Biology
University of Maryland, College Park MD 20742 USA
Office: 1-301-405-3645, Lab: 1-301-405-6581, Fax: 1-301-314-9281
http://www.isr.umd.edu/Labs/CSSL/