[OpenAFS-port-darwin] os x: destroying kerb tickets also destroys tokens

Aaron Rosenblum arosenbl@mac.com
Thu, 13 Mar 2003 19:47:56 -0500 

Calling the kdestroy program from the logout hook should trigger the  
kfm_aklog plugin to destroy your tokens when a user logs out.

Aaron

On Thursday, March 13, 2003, at 06:07 PM, Jonathan Z. Simon wrote:

> (sorry for the long delay in replying to this thread)
>
> Since I *want* the AFS tokens to be destroyed as automatically as  
> possible, could the AFS tokens be destroyed using the LogoutHook  
> described at
>
> http://developer.apple.com/techpubs/macosx/Essentials/SystemOverview/ 
> BootingLogin/chapter_4_section_14.html#//apple_ref/doc/uid/20000981/ 
> CJBBAIAB
>
> ?
>
> There's also some semi-serious discussion of how to best use these  
> hooks over at MacOSXHints:
> http://www.macosxhints.com/article.php?story=20030116061349986
>
> Jonathan
>
> On Tuesday, January 28, 2003, at 09:42  AM, Alexei Kosut wrote:
>
>> On Monday, January 27, 2003, at 10:07  PM, Aaron Rosenblum wrote:
>>> I noticed that if I set the LoginWindow to get tickets on login
>>> (authnoverify method) I will also get an afs token upon login.  
>>> However,
>>> if I logout using the menu item in the apple menu and then ssh back  
>>> in
>>> and use the "tokens" command, I appear to still have my tokens (they
>>> are not unlogged when I log out).  If explicitly destroy the kerb
>>> tickets using kdestroy or the GUI app, the tokens die too.  Is it
>>> supposed to destroy the tokens on logout from the machine, or just
>>> "Destroy Tickets"?
>>
>> The kfm_aklog plugin will destroy the AFS token whenever Kerberos for  
>> Macintosh tells it there's been a logout.  This happens when you  
>> click "Destroy Tickets" or run kdestroy, but not at Mac OS X logout.   
>> I don't think there's never an explicit destruction of Kerberos  
>> credentials at that time, but since the security context goes away,  
>> the tickets do too. The AFS tokens remain -- if we could use PAGs, it  
>> wouldn't be an issue here, either, but we can't.
>>
>> Here at Stanford, we solve this by having our GUI Kerberos tool  
>> detect Mac OS X logout and explicitly destroy the credentials cache  
>> and AFS tokens (unless AFS home directories are being used).
>>
>> -- 
>> Alexei Kosut <akosut@cs.stanford.edu>  
>> <http://cs.stanford.edu/~akosut/>
>> Hire me: <http://rescomp.stanford.edu/~akosut/resume/>
>>
>> _______________________________________________
>> port-darwin mailing list
>> port-darwin@openafs.org
>> https://lists.openafs.org/mailman/listinfo/port-darwin
>>
>>
> --
> Jonathan Z. Simon
> Dept. of Electrical & Computer Engineering / Dept. of Biology
> University of Maryland, College Park MD 20742 USA
> Office: 1-301-405-3645, Lab: 1-301-405-6581, Fax: 1-301-314-9281
> http://www.isr.umd.edu/Labs/CSSL/
>