Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- From: Guido Günther <agx sigxcpu org>
- To: Russ Allbery <rra stanford edu>
- Cc: David Woodhouse <dwmw2 infradead org>, stefw collabora co uk, krbdev mit edu, gnome-keyring-list gnome org
- Subject: Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- Date: Thu, 16 Jun 2011 08:44:51 +0200
On Wed, Jun 15, 2011 at 06:28:55PM -0700, Russ Allbery wrote:
> David Woodhouse <dwmw2 infradead org> writes:
> > I'm trying to implement automatic renewal of Kerberos tickets during the
> > lifetime of a user's session.
> > The user's password is learned at login time and stored within the
> > gnome-keyring dæmon.
> Why don't you just obtain renewable tickets and renew them instead of
> storing the password in memory?
What krb5-auth-dialog is often used for is:
* auth offline (e.g. with cached password)
* do stuff
* fire up company vpn
* acquire Kerberos credential
* auth to smtp/imap/etc.
* kill vpn
I'm not sure if this is what David wants to achieve but if so couldn't
we just move the auth part of krb5-auth-dialog into gkr keeping the
notification parts and plugins of krb5-auth-dialog separate? We could
then use krb5_get_init_creds_password with our own prompter and use the
password if available.
] [Thread Prev