Re: gnome-keyring Using gkr for Kerberos/NTLM single-sign-on handling

[David Woodhouse <dwmw2 infradead org>]

On Fri, 2011-04-29 at 07:22 -0400, David Zeuthen wrote:
> 
> The nice thing about GetAuthenticationImapConnection() is that the
> user will never ever need to get their hands on the user credentials. 

Hm, but in a sanely designed protocol the credentials are a one-off
anyway, and having a copy shouldn't hurt.

I really worry around letting the GOA code *make* the connection.

Let's imagine I'm inside my company network with its moronic firewalls,
and have configured Evolution to access gmail not by directly making a
connection to imap.gmail.com:993, but instead by running
 ssh bombadil.infradead.org exec openssl -quiet s_client -connect %h:%p

Or perhaps it's not a Google account; perhaps it's my company mail
server and its SSL certificate is signed by our company-internal SSL CA.
That CA has been imported into Evolution's certificate store, or I've
manually told Evolution to accept *this* certificate for *this* host.
But how does GOA know that?

Or maybe I've just set up Evolution to use certain SOCKS/HTTP proxies?

There are *so* many things like that, that I really don't like the idea
of GOA actually making the connection for us. I'd much prefer that it
just handles the base64 challenge/response bits instead. Exactly like
the existing Samba ntlm_auth setup, in fact.

You *really* don't want to be teaching GOA how to connect to every
different type of server, and get all the SSL and proxy and other stuff
right. 

I've just taken stock of the dozens of NTLM implementations we have in
various places, for HTTP/IM/SMTP/IMAP/LDAP/etc authentication. Do you
really want to learn how to make *all* those connections, and get it
*right* in all cases? That way lies madness, I suspect.

-- 
dwmw2