[16914] in Kerberos_V5_Development
RE: Obtaining a TGT without unrestricted access to password.
daemon@ATHENA.MIT.EDU (JC Ferguson)
Fri Jun 17 13:03:00 2011
From: JC Ferguson <jc@f5.com>
To: Russ Allbery <rra@stanford.edu>, David Woodhouse <dwmw2@infradead.org>
Date: Thu, 16 Jun 2011 01:35:18 +0000
Message-ID: <443EF1BADD3CFB43B17813F017974EC48DA0B0F0@LWLMBX01.olympus.F5Net.com>
In-Reply-To: <877h8ma7jc.fsf@windlord.stanford.edu>
Content-Language: en-US
MIME-Version: 1.0
Cc: =?utf-8?B?R3VpZG8gR8O8bnRoZXI=?= <agx@sigxcpu.org>,
"stefw@collabora.co.uk" <stefw@collabora.co.uk>,
"krbdev@mit.edu" <krbdev@mit.edu>,
"gnome-keyring-list@gnome.org" <gnome-keyring-list@gnome.org>
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
I agree with Russ - renewable tickets is the way to go. JC
-----Original Message-----From: krbdev-bounces@mit.edu [mailto:krbdev-bounces@mit.edu] On Behalf Of Russ AllberySent: Wednesday, June 15, 2011 21:29To: David WoodhouseCc: Guido Günther; stefw@collabora.co.uk; krbdev@mit.edu; gnome-keyring-list@gnome.orgSubject: Re: Obtaining a TGT without unrestricted access to password.
David Woodhouse <dwmw2@infradead.org> writes:
> I'm trying to implement automatic renewal of Kerberos tickets during > the lifetime of a user's session.
> The user's password is learned at login time and stored within the > gnome-keyring dæmon.
Why don't you just obtain renewable tickets and renew them instead of storing the password in memory?
> My second thought was that perhaps the keyring could be asked for the > result of str2key on the password. That's not the actual *password*, > at least. But I suspect that even that is still too sensitive to be > handing it out?
It's completely equivalent to the password.
-- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________krbdev mailing list krbdev@mit.eduhttps://mailman.mit.edu/mailman/listinfo/krbdev
_______________________________________________krbdev mailing list krbdev@mit.eduhttps://mailman.mit.edu/mailman/listinfo/krbdev
