[16892] in Kerberos_V5_Development
Re: Obtaining a TGT without unrestricted access to password.
daemon@ATHENA.MIT.EDU (David Woodhouse)
Thu Jun 16 10:49:30 2011
From: David Woodhouse <dwmw2@infradead.org>
To: Russ Allbery <rra@stanford.edu>
Date: Thu, 16 Jun 2011 15:49:16 +0100
In-Reply-To: <871uyt283l.fsf@windlord.stanford.edu>
Message-ID: <1308235758.3450.298.camel@i7.infradead.org>
Mime-Version: 1.0
Cc: guido@pch.MIT.EDU, =?ISO-8859-1?Q?G=FCnther?= <agx@sigxcpu.org>,
Stef Walter <stefw@collabora.co.uk>, krbdev@mit.edu,
gnome-keyring-list@gnome.org
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, 2011-06-16 at 06:56 -0700, Russ Allbery wrote:> > The result of a Kerberos authentication is a Kerberos> ticket-granting-ticket, which has a lifetime and a renewable lifetime. As> long as you do so within the lifetime window, you can perform another> authentication to the KDC using the ticket-granting-ticket,
For example:
$ klistTicket cache: FILE:/tmp/krb5cc_500Default principal: dwoodhou@GER.CORP.INTEL.COM
Valid starting Expires Service principal06/16/11 10:47:56 06/16/11 20:48:00 krbtgt/GER.CORP.INTEL.COM@GER.CORP.INTEL.COM renew until 06/23/11 10:47:56$ kinit -R # Look ma! No password!$ klistTicket cache: FILE:/tmp/krb5cc_500Default principal: dwoodhou@GER.CORP.INTEL.COM
Valid starting Expires Service principal06/16/11 15:39:39 06/17/11 01:39:43 krbtgt/GER.CORP.INTEL.COM@GER.CORP.INTEL.COM renew until 06/23/11 10:47:56
> So it's generally superior to storing the user's password in memory in> every respect except when the user intentionally wants to not follow> site policy as expressed in the renewable ticket lifetime.> (Unfortunately, that last case is common, in part because a lot of> sites don't realize they *have* set a policy.)
AFAICT most Windows sites *don't* set a policy. They just use thestandard Windows default of 10-hour/10-day tickets — because it doesn'treally make any significant difference to Windows clients, does it?
I only boot a Windows virtual machine occasionally these days, so Idon't remember the last time I had it running for more than 10 days at atime. But I'm fairly sure it didn't ask for the password again afterthat time was up. And I'm fairly sure it didn't demand to be connectedto the corporate network at least once every ten hours, so that it couldprevent its ticket from expiring. It just gets a new one when it needsto.
Windows clients certainly don't force their users to think "oh, I'mabout to do something that's going to need to authenticate to thenetwork, so I'd best run kinit first". It "just works" there, obtaininga new TGT when necessary and asking the user for their password onlywhen it doesn't actually match the one they logged in with.
-- dwmw2
_______________________________________________krbdev mailing list krbdev@mit.eduhttps://mailman.mit.edu/mailman/listinfo/krbdev
