Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling

From: Stef Walter <stefw collabora co uk>
To: David Woodhouse <dwmw2 infradead org>, David Zeuthen <david fubar dk>
Cc: gnome-keyring-list gnome org, "Rossi, Christopher" <christopher rossi intel com>
Subject: Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
Date: Thu, 28 Apr 2011 09:20:51 +0200

On 04/26/2011 07:41 PM, David Woodhouse wrote:
> On Tue, 2011-04-26 at 19:17 +0200, Stef Walter wrote:
>> On 04/26/11 19:01, David Woodhouse wrote:
>>> We need to move to the model that Windows uses, where you log in using
>>> your *local* password (which lets you unlock your home directory
>>> encryption and gnome-keyring, etc.), and then something *notices* that
>>> your local password no longer matches the network password and prompts
>>> you to enter your new network password.
>>>
>>> That "something" should almost certainly be part of gnome-keyring.
>>
>> Certainly interesting, and could fit with gnome-keyring like you
>> suggested. I have the following initial questions:

After thinking about this [1], it sounds very similar to some parts of
the work that David Zeuthen is working on [2] for online accounts.
Obviously some of the protocols and mechanics are different, but the
interaction with the user is uncannily similar.

The only piece that hasn't really be considered is the interaction with
the user's unix login password, more specifically using it as a default
to log into remote services (like Kerberos).

I don't think that gnome-keyring-daemon should hand out the user's login
password like candy to whatever application requests it (eg: this would
break sudo).

However we could add a DBus Interface(s) to gnome-keyring-daemon for
performing various challenges on the user's unix login password (such as
NTLM, Kerberos). This DBus interface could be used by gnome online
accounts in order to log into Kerberos or NTLM where necessary. If this
sounds familiar, it's because it it is. It has some aspects of the Meego
SSO solution, but is very scaled back).

What do you guys think? Integrating like this looks to me like it fits
the problem area perfectly.

Cheers,

Stef

[1]
http://mail.gnome.org/archives/gnome-keyring-list/2011-April/msg00017.html

[2] http://davidz25.blogspot.com/2011/04/gnome-online-accounts.html

Follow-Ups:
- Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: David Woodhouse

References:
- gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: David Woodhouse
- Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: Stef Walter
- Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling
  - From: David Woodhouse

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]