[16884] in Kerberos_V5_Development
Re: Obtaining a TGT without unrestricted access to password.
daemon@ATHENA.MIT.EDU (David Woodhouse)
Thu Jun 16 06:11:35 2011
From: David Woodhouse <dwmw2@infradead.org>
To: Guido =?ISO-8859-1?Q?G=FCnther?= <agx@sigxcpu.org>
Date: Thu, 16 Jun 2011 11:11:25 +0100
In-Reply-To: <20110616064451.GA20569@bogon.sigxcpu.org>
Message-ID: <1308219086.3450.248.camel@i7.infradead.org>
Mime-Version: 1.0
Cc: Russ Allbery <rra@stanford.edu>, stefw@collabora.co.uk, krbdev@mit.edu,
gnome-keyring-list@gnome.org
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
(Digression)
On Thu, 2011-06-16 at 08:44 +0200, Guido Günther wrote:> * fire up company vpn > * acquire Kerberos credential> * auth to smtp/imap/etc.
We all realise how much this user experience sucks, right?
The user shouldn't have to do those steps manually.
When the mailer wants to talk to the company's mail server, it shouldtell the connection manager. If you aren't currently on the companynetwork, that will automatically trigger a VPN connection attempt. Theuser might be asked to authenticate to the VPN, so it may not be*entirely* transparent, but they certainly shouldn't have to think "oh,I am not connected so I will have to do that first otherwise my mailprogram will just be broken".
It's the same for authentication. The user shouldn't have to *manually*check whether their TGT is still valid and get a new one before runningthe mailer. If the mail program discovers that the TGT has expired, itshould just go poke krb5-auth-dialog to get you a new one!
We fixed this in Evolution a while back; checking for theKRB5KRB_AP_ERR_TKT_EXPIRED or KRB5KDC_ERR_NEVER_VALID errors and pokingkrb5-auth-dialog manually:http://git.gnome.org/browse/evolution-data-server/commit/?id=6c6dfcc9
But that only solves the problem for Evolution, and not for any otherclients. It would be nice if perhaps we could hook into libkrb5 itself,so we can do that 'poke' in *one* place, rather than having to modifyall the clients. Is that feasible?
-- dwmw2
_______________________________________________krbdev mailing list krbdev@mit.eduhttps://mailman.mit.edu/mailman/listinfo/krbdev
