[16918] in Kerberos_V5_Development
Re: Obtaining a TGT without unrestricted access to password.
daemon@ATHENA.MIT.EDU (Guido =?iso-8859-1?Q?G=FCnther?=)
Fri Jun 17 13:03:29 2011
Date: Thu, 16 Jun 2011 12:52:27 +0200
From: Guido =?iso-8859-1?Q?G=FCnther?= <agx@sigxcpu.org>
To: David Woodhouse <dwmw2@infradead.org>
Message-ID: <20110616105227.GC22281@bogon.sigxcpu.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1308219086.3450.248.camel@i7.infradead.org>
Cc: Russ Allbery <rra@stanford.edu>, stefw@collabora.co.uk, krbdev@mit.edu,
gnome-keyring-list@gnome.org
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, Jun 16, 2011 at 11:11:25AM +0100, David Woodhouse wrote:
> (Digression)
>
> On Thu, 2011-06-16 at 08:44 +0200, Guido Günther wrote:
> > * fire up company vpn
> > * acquire Kerberos credential
> > * auth to smtp/imap/etc.
>
> We all realise how much this user experience sucks, right?
Sure. That's exaclty why I added DBus API you're using in evo. This
could certainly be improved (there's no async API, etc.).
> The user shouldn't have to do those steps manually.
>
> When the mailer wants to talk to the company's mail server, it should
> tell the connection manager. If you aren't currently on the company
> network, that will automatically trigger a VPN connection attempt. The
> user might be asked to authenticate to the VPN, so it may not be
> *entirely* transparent, but they certainly shouldn't have to think "oh,
> I am not connected so I will have to do that first otherwise my mail
> program will just be broken".
>
> It's the same for authentication. The user shouldn't have to *manually*
> check whether their TGT is still valid and get a new one before running
> the mailer. If the mail program discovers that the TGT has expired, it
> should just go poke krb5-auth-dialog to get you a new one!
>
> We fixed this in Evolution a while back; checking for the
> KRB5KRB_AP_ERR_TKT_EXPIRED or KRB5KDC_ERR_NEVER_VALID errors and poking
> krb5-auth-dialog manually:
> http://git.gnome.org/browse/evolution-data-server/commit/?id=6c6dfcc9
>
> But that only solves the problem for Evolution, and not for any other
> clients. It would be nice if perhaps we could hook into libkrb5 itself,
> so we can do that 'poke' in *one* place, rather than having to modify
> all the clients. Is that feasible?
That sound great. I'd be happy to drop the auth code from
krb5-auth-dialog and only leave it aroudn for notifications and the
plugins (e.g. for afs).
Cheers,
-- Guido
>
> --
> dwmw2
>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
