At 11:46 AM 7/18/99, Jan Harkes wrote:
>> CODA security tokens expire after a day -- how does one keep
>> tokens held by daemons from expiring?
>
>You don't really. On our webserver there is a cronjob that obtains a new
>token every day.
>
>Another solution might be the `tokentool' that got included into the
>5.2.7 (source) release, which allows an administrator who knows the
>auth2 key to generate a user token with a longer validity. I used it
>when I went on vacation for 2 weeks to make sure my email wouldn't start
>bouncing all over the place. It can be found it in the coda-src/auth2
>directory.

Thanks for the quick reply.  BTW, is this a "bug" or a "feature"?
It seems kind of unusal to have a daily cronjob that uses the cleartext
administrator's password.  For example, the server could instead validate
the client with a simple zero-knowledge authentication scheme such as
the one described here:

	http://srp.stanford.edu/srp/doc.html

Is the 25-hour rule inherited from AFS?

Pete Gonzalez