[16916] in Kerberos_V5_Development
Re: Obtaining a TGT without unrestricted access to password.
daemon@ATHENA.MIT.EDU (Guido =?iso-8859-1?Q?G=FCnther?=)
Fri Jun 17 13:03:15 2011
Date: Thu, 16 Jun 2011 12:40:58 +0200
From: Guido =?iso-8859-1?Q?G=FCnther?= <agx@sigxcpu.org>
To: David Woodhouse <dwmw2@infradead.org>
Message-ID: <20110616104058.GB22281@bogon.sigxcpu.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1308216089.3450.230.camel@i7.infradead.org>
Cc: Russ Allbery <rra@stanford.edu>, stefw@collabora.co.uk, krbdev@mit.edu,
gnome-keyring-list@gnome.org
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi David,
On Thu, Jun 16, 2011 at 10:21:28AM +0100, David Woodhouse wrote:
> On Thu, 2011-06-16 at 08:44 +0200, Guido Günther wrote:
> > I'm not sure if this is what David wants to achieve but if so couldn't
> > we just move the auth part of krb5-auth-dialog into gkr keeping the
> > notification parts and plugins of krb5-auth-dialog separate? We could
> > then use krb5_get_init_creds_password with our own prompter and use
> > the password if available.
>
> That is our backup plan, but I share Stef's reticence. We really do want
> gnome-keyring to stick to what it does best, and not start getting
> involved in remote network operations.
>
> I certainly don't think we'd ever actually do it *in* the gnome-keyring
> process. As well-trusted as libkrb5 may be, we just don't want *any*
> network code running in the gkr process. Instead, we'd give the password
> (or preprocessed password-as-key) out to a separate process. It would
> probably be best to do that by spawning a helper that we *know* will
> just do what it's supposed to be doing, rather than handing it out on
> demand to some existing process that asks for it, and having to invent
> some trust model to give us confidence in that.
>
> But really, we don't want to be doing that at all. We *really* want to
> use gkr *only* for the crypto operations using the password, invoked
> from the appropriate places in libkrb5.
How does this integrate with PKINIT and FAST? The reason
krb5-auth-dialog relies krb5_get_init_creds_* is that the Kerberos
library handles asking for the right authentication (Password or e.g.
smartcard PIN) at the moment.
Cheers,
-- Guido
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
