Coda File System

Re: Tokens question

From: Jan Harkes <jaharkes_at_cs.cmu.edu>
Date: Mon, 17 Jan 2000 17:58:14 -0500
On Mon, Jan 10, 2000 at 10:40:33AM +1000, Bradley Marshall wrote:
> One of the biggest queries I have at the moment however,
> is how people keep tokens up to date - I can see our users
> complaining about having to re-enter their password every
> 25 hours.  Is there some method of easily renewing the tokens,
> without having to enter the password?  Or some way of increasing
> the timeout from 25 hours to something higher?

It would be nice to have a `clog-daemon', which a user can give some
identifying material (x509 certificate/password/whatever) that can
re-obtain tokens when they expire (venus can ask for a new token a
couple of minutes before the current token expires.

But, we don't have one yet.

Creating tokens with a longer lifetime is possible, just modify the
auth2 daemon (coda-src/auth2/auth2.c, line 525). But do realize that
extending the valid lifetime of a token is a bad choice security wise.
It will also make the users less aware the fact that tokens actually
expire, so when their token does expire they will not understand why
things suddenly go wrong.

> I found a reference to a PAM coda module, which seems to allow
> users to obtain coda tokens when they log in, but I think
> we'll need something slightly different as it doesn't appear
> to allow you to keep the token for longer than 25 hours.

It is the server that generated the token, by hacking the auth2 daemon
even this pam-module will get longer lived tokens.

Jan
Received on 2000-01-17 18:00:33