>I too have gotten bitten by this -- mail in my case, though our crummy >solution was just to set up a second mail server which spread out the >load enough for it to stop breaking (for now). I'd also like to see a >new pag system that lacks this "throttling/resource exhaustion" >characteristic.
According to the comments in the source code, the concern isn't really resource exhaustion, but the fact that an attacker could allocate enough PAGs to wrap around the space and join an existing PAG (whether or not you call that "resource exhaustion" is a matter of semantics, I guess). I see a remarkably simple solution to these problems, though. All of the cases mentioned to date take place on "trusted" servers (ones that likely don't permit general user login). If you define AFS_WEB_ENHANCEMENTS when building the Openafs client, the 1-second throttling is disabled. You shouldn't do this unless you understand the security concerns, though. (I suspect in more than a few cases, the people who are running into this really don't need a new PAG and they're just being bit by ka_UserAuthenticateGeneral(), but no doubt a number of these cases do need a new PAG). --Ken _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
