gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling

From: David Woodhouse <dwmw2 infradead org>
To: gnome-keyring-list gnome org
Cc: "Rossi, Christopher" <christopher rossi intel com>
Subject: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
Date: Tue, 26 Apr 2011 18:01:48 +0100

In the 'Enterprise' build of MeeGo we have been using Samba/winbind to
provide single-sign-on capabilities. It will refresh our Kerberos TGT
for us, and it will allow client applications to use the ntlm_auth
helper tool to automatically perform NTLM authentication using the login
credentials, rather than allowing applications to know the password.

However, the Samba/winbind model (where we use pam_winbind.so to
authenticate directly against the network) is far from ideal. Firstly,
winbind is very unreliable on mobile devices that are not permanently
connected to the correct network. And secondly, if the network password
changes and we *do* happen to be online when the user logs in, we end up
logging in with a completely new password that cannot be used to unlock
the local gkr or ecryptfs, etc.

We need to move to the model that Windows uses, where you log in using
your *local* password (which lets you unlock your home directory
encryption and gnome-keyring, etc.), and then something *notices* that
your local password no longer matches the network password and prompts
you to enter your new network password.

That "something" should almost certainly be part of gnome-keyring.

We would like to add functionality to gkr so it can:
  - Automatically refresh Kerberos TGTs.
  - Handle automatic NTLM authentication via the existing
    /usr/bin/ntlm_auth helper tool interface that clients use.
  - "Notice" when the password has changed (i.e. obtaining a TGT fails),
    so a UI tool can prompt the user for a new network password.
  - Optionally change the local password to match the new network
    password, after validating it.

We have worked on an implementation of much of this, at
	http://git.infradead.org/gntlmd.git

It is based on a cut-down version of gkr, giving us the option of
merging it back into gkr or continuing along a separate path with it.
I'd much prefer to merge it back into gkr though...

Please don't look *too* hard at the current implementation; it's largely
a proof of concept and we know it'll need some cleaning up.

Please advise...

-- 
David Woodhouse                            Open Source Technology Centre
David Woodhouse intel com                              Intel Corporation

Follow-Ups:
- Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: Stef Walter
- Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: Anders Rundgren

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]