[16897] in Kerberos_V5_Development
Re: gnome-keyring Obtaining a TGT without unrestricted access to
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Jun 16 11:21:59 2011
From: Simo Sorce <simo@redhat.com>
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <87y611yfq7.fsf@windlord.stanford.edu>
Date: Thu, 16 Jun 2011 11:21:29 -0400
Message-ID: <1308237689.3182.100.camel@willson.li.ssimo.org>
Mime-Version: 1.0
Cc: Guido G?nther <agx@sigxcpu.org>, David Woodhouse <dwmw2@infradead.org>,
gnome-keyring-list@gnome.org, krbdev@mit.edu, stefw@collabora.co.uk
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Thu, 2011-06-16 at 08:10 -0700, Russ Allbery wrote:
> For example, our ticket lifetime is 25 hours and our renewable
> lifetime is
> 14 days. I actually want our users to have to re-enter their password
> every 14 days, or rather, I want the person who stole their laptop to
> have
> full use of their account for at most 14 days after the point at which
> they stole it, even if they don't tell us about that.
Purpose that is defeated if someone stores the password in clear text,
in a way that the user can query it, or not in kernel protected
memory ... like gnome-keyring does ...
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
