Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling



You may also begin thinking about marking credentials as
trusting certain applications because this is likely to
appear in the next iteration of Android.

I.e. if a bank issues a credential to a common key-store,
the bank may be interested in limiting the key's usage to
applications it has either created or trust anyway (like
bank-app and platform browser).

This obviously requires that the whole stack from the OS
kernel to possible JVMs is enabled to provide some kind
of application identity to the key store provider.

Anders

On 2011-04-26 19:01, David Woodhouse wrote:
> In the 'Enterprise' build of MeeGo we have been using Samba/winbind to
> provide single-sign-on capabilities. It will refresh our Kerberos TGT
> for us, and it will allow client applications to use the ntlm_auth
> helper tool to automatically perform NTLM authentication using the login
> credentials, rather than allowing applications to know the password.
> 
> However, the Samba/winbind model (where we use pam_winbind.so to
> authenticate directly against the network) is far from ideal. Firstly,
> winbind is very unreliable on mobile devices that are not permanently
> connected to the correct network. And secondly, if the network password
> changes and we *do* happen to be online when the user logs in, we end up
> logging in with a completely new password that cannot be used to unlock
> the local gkr or ecryptfs, etc.
> 
> We need to move to the model that Windows uses, where you log in using
> your *local* password (which lets you unlock your home directory
> encryption and gnome-keyring, etc.), and then something *notices* that
> your local password no longer matches the network password and prompts
> you to enter your new network password.
> 
> That "something" should almost certainly be part of gnome-keyring.
> 
> We would like to add functionality to gkr so it can:
>   - Automatically refresh Kerberos TGTs.
>   - Handle automatic NTLM authentication via the existing
>     /usr/bin/ntlm_auth helper tool interface that clients use.
>   - "Notice" when the password has changed (i.e. obtaining a TGT fails),
>     so a UI tool can prompt the user for a new network password.
>   - Optionally change the local password to match the new network
>     password, after validating it.
> 
> We have worked on an implementation of much of this, at
> 	http://git.infradead.org/gntlmd.git
> 
> It is based on a cut-down version of gkr, giving us the option of
> merging it back into gkr or continuing along a separate path with it.
> I'd much prefer to merge it back into gkr though...
> 
> Please don't look *too* hard at the current implementation; it's largely
> a proof of concept and we know it'll need some cleaning up.
> 
> Please advise...
> 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]