[16882] in Kerberos_V5_Development
Re: Obtaining a TGT without unrestricted access to password.
daemon@ATHENA.MIT.EDU (David Woodhouse)
Thu Jun 16 03:59:30 2011
From: David Woodhouse <dwmw2@infradead.org>
To: Russ Allbery <rra@stanford.edu>
Date: Thu, 16 Jun 2011 08:59:18 +0100
In-Reply-To: <877h8ma7jc.fsf@windlord.stanford.edu>
Message-ID: <1308211159.3450.205.camel@i7.infradead.org>
Mime-Version: 1.0
Cc: Guido =?ISO-8859-1?Q?G=FCnther?= <agx@sigxcpu.org>, stefw@collabora.co.uk,
krbdev@mit.edu, gnome-keyring-list@gnome.org
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Wed, 2011-06-15 at 18:28 -0700, Russ Allbery wrote:> David Woodhouse <dwmw2@infradead.org> writes:> > > I'm trying to implement automatic renewal of Kerberos tickets during the> > lifetime of a user's session.> > > The user's password is learned at login time and stored within the> > gnome-keyring dæmon.> > Why don't you just obtain renewable tickets and renew them instead of> storing the password in memory?
Renewable tickets are all very well, but they're typically onlyrenewable for ten days or so. And they also need to be renewed every tenhours, which isn't always possible on a sporadically-connected device. Alaptop or tablet might be turned off, or outside the corporate network,for longer than that period of time every night.
> > My second thought was that perhaps the keyring could be asked for the> > result of str2key on the password. That's not the actual *password*, at> > least. But I suspect that even that is still too sensitive to be handing> > it out?> > It's completely equivalent to the password.
Thanks. Stef asked the follow-up question that occurs to me: Is that*really* equivalent, in that I can reverse it and then learn thepassword and type it into other things?
Or just 'password-equivalent' in that you can always obtain a TGT forthe given principal with it, and not even for the same user in any*other* Kerberos realms?
-- dwmw2
_______________________________________________krbdev mailing list krbdev@mit.eduhttps://mailman.mit.edu/mailman/listinfo/krbdev
