[OpenAFS-port-darwin] krb5 aklog.loginlogout ?
Ragnar Sundblad
ragge@nada.kth.se
Fri, 18 Jun 2004 17:40:55 +0200
--On den 18 juni 2004 01:08 -0700 Alexei Kosut <akosut@cs.stanford.edu>
wrote:
> More significantly, it means that if I walk up to your computer, type
> "kinit" to get Kerberos credentials (which will automatically get AFS
> tokens via the plugin), then type "kdestroy" and walk away, that session
> will still have my AFS tokens and you can access my files when I probably
> expected the kdestroy to have completely logged me out from Kerberos
> services, especially if I didn't know you had AFS set up on the system.
True. We ask our users to either log out or lock their screen,
never to just kdestroy/unlog and walk away.
> That said, if you're using AFS home directories, Mac OS X (at least as of
> Jaguar) needs to write to your home directory after it destroys your
> Kerberos credentials during the GUI logout. So unlogging on credential
> destruction turns out to be problematic in that case.
Yup!
> If I recall correctly, what we did at Stanford was unlog-on-logout for
> casual users with local home directories who also want to access their
> AFS space (most users), but used a preference to turn the unlog off for
> lab machines set up to use AFS home directories. On systems like that,
> it doesn't really matter that the tokens remain associated with the uid,
> since to log in as that user would require you to authenticate as that
> user using Kerberos. And since we didn't allow remote logins to those
> systems, there's only the single console session to worry about.
We have the same passwd information, or rather, the same
username<->uid mapping, on all our unix systems, so we don't
relly have that problem. (We also have all our home
directories in AFS, but that doesn't really matter here.)
We don't actively unlog on any platform (I think).
/ragge