Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- From: JC Ferguson <jc F5 com>
- To: Russ Allbery <rra stanford edu>, David Woodhouse <dwmw2 infradead org>
- Cc: Guido Günther <agx sigxcpu org>, "stefw collabora co uk" <stefw collabora co uk>, "krbdev mit edu" <krbdev mit edu>, "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
- Subject: Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- Date: Thu, 16 Jun 2011 01:35:18 +0000
I agree with Russ - renewable tickets is the way to go.
JC
-----Original Message-----
From: krbdev-bounces mit edu [mailto:krbdev-bounces mit edu] On Behalf Of Russ Allbery
Sent: Wednesday, June 15, 2011 21:29
To: David Woodhouse
Cc: Guido Günther; stefw collabora co uk; krbdev mit edu; gnome-keyring-list gnome org
Subject: Re: Obtaining a TGT without unrestricted access to password.
David Woodhouse <dwmw2 infradead org> writes:
> I'm trying to implement automatic renewal of Kerberos tickets during
> the lifetime of a user's session.
> The user's password is learned at login time and stored within the
> gnome-keyring dæmon.
Why don't you just obtain renewable tickets and renew them instead of storing the password in memory?
> My second thought was that perhaps the keyring could be asked for the
> result of str2key on the password. That's not the actual *password*,
> at least. But I suspect that even that is still too sensitive to be
> handing it out?
It's completely equivalent to the password.
--
Russ Allbery (rra stanford edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev mit edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
