Re: gnome-keyring Obtaining a TGT without unrestricted access to password.


On Thu, 2011-06-16 at 08:44 +0200, Guido Günther wrote:
> * fire up company vpn 
> * acquire Kerberos credential
> * auth to smtp/imap/etc.

We all realise how much this user experience sucks, right?

The user shouldn't have to do those steps manually.

When the mailer wants to talk to the company's mail server, it should
tell the connection manager. If you aren't currently on the company
network, that will automatically trigger a VPN connection attempt. The
user might be asked to authenticate to the VPN, so it may not be
*entirely* transparent, but they certainly shouldn't have to think "oh,
I am not connected so I will have to do that first otherwise my mail
program will just be broken".

It's the same for authentication. The user shouldn't have to *manually*
check whether their TGT is still valid and get a new one before running
the mailer. If the mail program discovers that the TGT has expired, it
should just go poke krb5-auth-dialog to get you a new one!

We fixed this in Evolution a while back; checking for the
krb5-auth-dialog manually:

But that only solves the problem for Evolution, and not for any other
clients. It would be nice if perhaps we could hook into libkrb5 itself,
so we can do that 'poke' in *one* place, rather than having to modify
all the clients. Is that feasible?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]