[16922] in Kerberos_V5_Development
Re: Obtaining a TGT without unrestricted access to password.
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Jun 17 14:03:35 2011
Message-ID: <4DFB96F4.3010905@anl.gov>
Date: Fri, 17 Jun 2011 13:03:32 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: krbdev@mit.edu
In-Reply-To: <4DF9B60E.1010603@collabora.co.uk>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 6/16/2011 2:51 AM, Stef Walter wrote:
> On 06/16/2011 07:44 AM, Guido Günther wrote:
>> I'm not sure if this is what David wants to achieve but if so couldn't
>> we just move the auth part of krb5-auth-dialog into gkr keeping the
>> notification parts and plugins of krb5-auth-dialog separate? We could
>> then use krb5_get_init_creds_password with our own prompter and use the
>> password if available.
>
> Pretty much because I'd like to try (if at all possible) to keep
> gnome-keyring as a password/secret/key-storage-daemon. Rather than a
> contact-remote-hosts-and-get-involved-in-porotocols daemon.
This attitude by developers of stashing long term secrets, is exactly
why sites want to impose OTP, smart card or other non-password based
authentication.
>
> At this point it's unclear if we can factor out the password
> hashing/challenge-response stuff from kerberos and just put those
> algorithms in the daemon. But it's worth trying to make it work. Hence
> David's email.
>
> Cheers,
>
> Stef
> _______________________________________________
> krbdev mailing list krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
