[16881] in Kerberos_V5_Development
Re: Obtaining a TGT without unrestricted access to password.
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Jun 15 21:29:01 2011
From: Russ Allbery <rra@stanford.edu>
To: David Woodhouse <dwmw2@infradead.org>
In-Reply-To: <1308186302.3450.200.camel@i7.infradead.org> (David Woodhouse's
message of "Thu, 16 Jun 2011 02:04:59 +0100")
Date: Wed, 15 Jun 2011 18:28:55 -0700
Message-ID: <877h8ma7jc.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: Guido =?utf-8?Q?G=C3=BCnther?= <agx@sigxcpu.org>, stefw@collabora.co.uk,
krbdev@mit.edu, gnome-keyring-list@gnome.org
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
David Woodhouse <dwmw2@infradead.org> writes:
> I'm trying to implement automatic renewal of Kerberos tickets during the> lifetime of a user's session.
> The user's password is learned at login time and stored within the> gnome-keyring dæmon.
Why don't you just obtain renewable tickets and renew them instead ofstoring the password in memory?
> My second thought was that perhaps the keyring could be asked for the> result of str2key on the password. That's not the actual *password*, at> least. But I suspect that even that is still too sensitive to be handing> it out?
It's completely equivalent to the password.
-- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________krbdev mailing list krbdev@mit.eduhttps://mailman.mit.edu/mailman/listinfo/krbdev
