[OpenAFS-port-darwin] krb5 aklog.loginlogout ?

[Alexei Kosut]

On Jun 18, 2004, at 12:44 AM, Derrick J Brashear wrote:
> On Fri, 18 Jun 2004, Eric Knauel wrote:
>
>> Both krb5 aklog plugins, Ragnars and yours, don't call unlog on
>> logout.  I wonder, what is the reason for this and is this harmless?
>
> Well, it presumably means the next login with that uid will have those
> tokens. And in fact if you did the unlog it would mean if same uid 
> still
> had sessions logged in, they'd go away.

More significantly, it means that if I walk up to your computer, type 
"kinit" to get Kerberos credentials (which will automatically get AFS 
tokens via the plugin), then type "kdestroy" and walk away, that 
session will still have my AFS tokens and you can access my files when 
I probably expected the kdestroy to have completely logged me out from 
Kerberos services, especially if I didn't know you had AFS set up on 
the system.

That said, if you're using AFS home directories, Mac OS X (at least as 
of Jaguar) needs to write to your home directory after it destroys your 
Kerberos credentials during the GUI logout.  So unlogging on credential 
destruction turns out to be problematic in that case.

If I recall correctly, what we did at Stanford was unlog-on-logout for 
casual users with local home directories who also want to access their 
AFS space (most users), but used a preference to turn the unlog off for 
lab machines set up to use AFS home directories.  On systems like that, 
it doesn't really matter that the tokens remain associated with the 
uid, since to log in as that user would require you to authenticate as 
that user using Kerberos.  And since we didn't allow remote logins to 
those systems, there's only the single console session to worry about.

Alexei