[19208] in Kerberos
Re: Apps aquiring tickets
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed May 7 13:05:10 2003
To: Alexandra Ellwood <lxs@mit.edu>
From: Sam Hartman <hartmans@MIT.EDU>
Date: Wed, 07 May 2003 13:04:28 -0400
In-Reply-To: <p06001004bade1a1bb755@[18.18.1.18]> (Alexandra Ellwood's
message of "Wed, 7 May 2003 12:55:20 -0400")
Message-ID: <tsl65om8z8j.fsf@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: greg@enjellic.com
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
>>>>> "Alexandra" == Alexandra Ellwood <lxs@MIT.EDU> writes:
>> People looking at this should consider the Kerberos login
>> library architecture used by KFM and look at whether that
>> architecture is appropriate for other platforms.
>>
>> Decisions that KLL makes:
>>
>> 1) The graphical prompting is done in the context of the
>> application. You could argue against this because it means any
>> arbitrary application can prompt you for a password.
Alexandra> This was true in Mac OS 9. In Mac OS X, the
Alexandra> application makes the request to prompt (as a side
Alexandra> effect of trying to look up the default ccache), but
Alexandra> the actual dialog is presented by the
Alexandra> KerberosLoginServer, a separate process launched from
Alexandra> inside the Kerberos framework. This is similar to the
Alexandra> behavior of the SecurityAgent which presents the
Alexandra> administrator password dialog for Mac OS X's Security
Alexandra> Services.
OK, I was trying to distinguish this from the Windows behavior where
you should really only be entering your password after hitting
ctrl-alt-del, and the process that asks you for your password is
long-running and has never been influenced by the user context.
The Mac behavior is very convenient for users, but there is no way for
a user to easily tell if the password dialogue is really presented by
the right process instead of something that looks like it.
Alexandra> Mac laptop users often put their machines to sleep for
Alexandra> periods longer than typical ticket lifetimes (eg:
Alexandra> overnight). Since these machines cannot renew their
Alexandra> tickets while asleep, and tickets cannot be renewed
Alexandra> once they have expired, the user needs to get new
Alexandra> tickets when they un-sleep the machine.
I wonder how Windows deals with this.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
