[16894] in Kerberos_V5_Development
Re: Obtaining a TGT without unrestricted access to password.
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Jun 16 11:10:42 2011
From: Simo Sorce <simo@redhat.com>
To: David Woodhouse <dwmw2@infradead.org>
In-Reply-To: <1308235758.3450.298.camel@i7.infradead.org>
Date: Thu, 16 Jun 2011 11:10:19 -0400
Message-ID: <1308237019.3182.98.camel@willson.li.ssimo.org>
Mime-Version: 1.0
Cc: Russ Allbery <rra@stanford.edu>, guido@pch.MIT.EDU,
=?ISO-8859-1?Q?G=FCnther?= <agx@sigxcpu.org>, gnome-keyring-list@gnome.org,
krbdev@mit.edu, Stef Walter <stefw@collabora.co.uk>
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, 2011-06-16 at 15:49 +0100, David Woodhouse wrote:> AFAICT most Windows sites *don't* set a policy. They just use the> standard Windows default of 10-hour/10-day tickets — because it> doesn't> really make any significant difference to Windows clients, does it?
They don't really need to because they can obtain a new ticket fromscratch every time you unlock the screensaver (to which you give yourpassword), which is what we do with sssd as well as the password goesdown the pipe through pam.
So the case where a 10h/10d policy is not enough is extremely rare.
Simo.
-- Simo Sorce * Red Hat, Inc * New York
_______________________________________________krbdev mailing list krbdev@mit.eduhttps://mailman.mit.edu/mailman/listinfo/krbdev
