[19171] in Kerberos
Re: Apps aquiring tickets (was Re: gssapi/openssh)
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri May 2 11:08:13 2003
Message-ID: <3EB28936.8C5B209C@anl.gov>
Date: Fri, 02 May 2003 10:05:26 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: "James F.Hranicky" <jfh@cise.ufl.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
cc: Simon Wilkinson <sxw@warspite.inf.ed.ac.uk>
Errors-To: kerberos-bounces@mit.edu
You are asking for trouble if any application can ask the user to
enter their password at any time. They will, and will try all of
their passwords if they have too. Better to train them to entry it
only specific times, like login, and be suspicious if any application
asks for their password.
"James F.Hranicky" wrote:
>
> On Wed, 30 Apr 2003 18:25:47 +0100
> Simon Wilkinson <sxw@warspite.inf.ed.ac.uk> wrote:
>
> > No, it doesn't. Philosophically, I don't think that its the job of the
> > client to go out and get credentials, if none exist. Practically, doing
> > so would require the client to know about the underlying GSSAPI mechanism,
> > which at present it doesn't need to.
>
> I understand this sentiment (especially with GSSAPI given its a layer that
> uses Kerberos, but isn't itself Kerberos), but I think that if the following
> were true it would be a boon for the user:
>
> 1) applications could get a TGT for a given realm stored in a single
> common place that other apps could use
Kerberos does this.
>
> 2) the ticket cache could contain TGTs for multiple realms
>
> Then you could simply "be" however many principals you want to be at a given
> time, and get prompted for re-authorization when necessary.
>
> Perhaps 1) could be satified by "kinitd" that runs in the background and
> pops up a window when your TGT expires, or if your at a terminal, runs
> in the background and spits out a message saying "run kinit for this realm".
> However, "kinitd" probably wouldn't be tied to the apps in any way, e.g.,
> receiving notification from an app when the app finds the TGT is expired.
>
> 2) would probably require code mods to Kerberos, though I'd think that would
> be very useful.
>
> ----------------------------------------------------------------------
> | Jim Hranicky, Senior SysAdmin UF/CISE Department |
> | E314D CSE Building Phone (352) 392-1499 |
> | jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh |
> ----------------------------------------------------------------------
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
