Coda File System

Re: getting tokens when disconnected

From: Jan Harkes <jaharkes_at_cs.cmu.edu>
Date: Thu, 4 Nov 1999 17:26:51 -0500
On Thu, Nov 04, 1999 at 01:11:56PM +0100, Major A wrote:
> 
> Hello,
> 
> just a quick question on the way of working of Coda. I understand that
> there is a possibility to get tokens while disonnected. What does that
> mean? How can a client tell whether or not I typed in the right password?
> Does it transfer the authentication database from the server periodically
> in order to be able to check? Or maybe the password is not checked for but
> a pseudo-token generated and only checked on reconnection?
> 
> Thanks,
> 
>    Andras

The coda client doesn't expire tokens while disconnected. It is not
possible to interactively get tokens during a disconnection, but there
is one alternative.

A Coda authentication token can be stored in a file.

While connected (or on a connected machine), do clog -tofile xxx. Then
somehow move the file xxx over to the disconnected machine (email/pager:)
And use clog -fromfile xxx, to pass the token off to venus.

There is also the 'tokentool' program in the source tree, which an
administrator can use to make (insecure) long-term tokens. These can be
given to a user who goes away for week, or ahum `safely' stored on a
machine so that the passwords don't have to be put in the cronjobs.
Ofcourse all communication based on such a long-term token uses the same
session key. If it weren't for the use of XOR encoding, this would
weaken security considerably ;)

Actually those token-files should be encrypted and password protected.
If someone gets his hands on this file, he gets full access until the
token expires.

Jan
Received on 1999-11-04 17:42:01