[16883] in Kerberos_V5_Development
Re: Obtaining a TGT without unrestricted access to password.
daemon@ATHENA.MIT.EDU (David Woodhouse)
Thu Jun 16 05:21:41 2011
From: David Woodhouse <dwmw2@infradead.org>
To: Guido =?ISO-8859-1?Q?G=FCnther?= <agx@sigxcpu.org>
Date: Thu, 16 Jun 2011 10:21:28 +0100
In-Reply-To: <20110616064451.GA20569@bogon.sigxcpu.org>
Message-ID: <1308216089.3450.230.camel@i7.infradead.org>
Mime-Version: 1.0
Cc: Russ Allbery <rra@stanford.edu>, stefw@collabora.co.uk, krbdev@mit.edu,
gnome-keyring-list@gnome.org
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, 2011-06-16 at 08:44 +0200, Guido Günther wrote:> I'm not sure if this is what David wants to achieve but if so couldn't> we just move the auth part of krb5-auth-dialog into gkr keeping the> notification parts and plugins of krb5-auth-dialog separate? We could> then use krb5_get_init_creds_password with our own prompter and use> the password if available.
That is our backup plan, but I share Stef's reticence. We really do wantgnome-keyring to stick to what it does best, and not start gettinginvolved in remote network operations.
I certainly don't think we'd ever actually do it *in* the gnome-keyringprocess. As well-trusted as libkrb5 may be, we just don't want *any*network code running in the gkr process. Instead, we'd give the password(or preprocessed password-as-key) out to a separate process. It wouldprobably be best to do that by spawning a helper that we *know* willjust do what it's supposed to be doing, rather than handing it out ondemand to some existing process that asks for it, and having to inventsome trust model to give us confidence in that.
But really, we don't want to be doing that at all. We *really* want touse gkr *only* for the crypto operations using the password, invokedfrom the appropriate places in libkrb5.
Using a "special" key as in my third approach *ought* to be feasible.After all, surely a krb5_keyblock can represent a key that is present ina hardware device and thus has the same restrictions — you can ask foroperations to be performed using it, but you can't just ask for the key?
-- dwmw2
_______________________________________________krbdev mailing list krbdev@mit.eduhttps://mailman.mit.edu/mailman/listinfo/krbdev
