[19167] in Kerberos
Apps aquiring tickets (was Re: gssapi/openssh)
daemon@ATHENA.MIT.EDU (James F.Hranicky)
Fri May 2 10:25:33 2003
Date: Fri, 2 May 2003 10:24:33 -0400
From: "James F.Hranicky" <jfh@cise.ufl.edu>
To: Simon Wilkinson <sxw@warspite.inf.ed.ac.uk>
Message-Id: <20030502102433.15a3d313.jfh@cise.ufl.edu>
In-Reply-To: <Pine.LNX.4.44.0304301819480.7976-100000@warspite.inf.ed.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
cc: kerberos@MIT.EDU
Errors-To: kerberos-bounces@mit.edu
On Wed, 30 Apr 2003 18:25:47 +0100
Simon Wilkinson <sxw@warspite.inf.ed.ac.uk> wrote:
> No, it doesn't. Philosophically, I don't think that its the job of the
> client to go out and get credentials, if none exist. Practically, doing
> so would require the client to know about the underlying GSSAPI mechanism,
> which at present it doesn't need to.
I understand this sentiment (especially with GSSAPI given its a layer that
uses Kerberos, but isn't itself Kerberos), but I think that if the following
were true it would be a boon for the user:
1) applications could get a TGT for a given realm stored in a single
common place that other apps could use
2) the ticket cache could contain TGTs for multiple realms
Then you could simply "be" however many principals you want to be at a given
time, and get prompted for re-authorization when necessary.
Perhaps 1) could be satified by "kinitd" that runs in the background and
pops up a window when your TGT expires, or if your at a terminal, runs
in the background and spits out a message saying "run kinit for this realm".
However, "kinitd" probably wouldn't be tied to the apps in any way, e.g.,
receiving notification from an app when the app finds the TGT is expired.
2) would probably require code mods to Kerberos, though I'd think that would
be very useful.
----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
