Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- From: David Woodhouse <dwmw2 infradead org>
- To: Guido Günther <agx sigxcpu org>
- Cc: Russ Allbery <rra stanford edu>, stefw collabora co uk, krbdev mit edu, gnome-keyring-list gnome org
- Subject: Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- Date: Thu, 16 Jun 2011 11:11:25 +0100
On Thu, 2011-06-16 at 08:44 +0200, Guido Günther wrote:
> * fire up company vpn
> * acquire Kerberos credential
> * auth to smtp/imap/etc.
We all realise how much this user experience sucks, right?
The user shouldn't have to do those steps manually.
When the mailer wants to talk to the company's mail server, it should
tell the connection manager. If you aren't currently on the company
network, that will automatically trigger a VPN connection attempt. The
user might be asked to authenticate to the VPN, so it may not be
*entirely* transparent, but they certainly shouldn't have to think "oh,
I am not connected so I will have to do that first otherwise my mail
program will just be broken".
It's the same for authentication. The user shouldn't have to *manually*
check whether their TGT is still valid and get a new one before running
the mailer. If the mail program discovers that the TGT has expired, it
should just go poke krb5-auth-dialog to get you a new one!
We fixed this in Evolution a while back; checking for the
KRB5KRB_AP_ERR_TKT_EXPIRED or KRB5KDC_ERR_NEVER_VALID errors and poking
But that only solves the problem for Evolution, and not for any other
clients. It would be nice if perhaps we could hook into libkrb5 itself,
so we can do that 'poke' in *one* place, rather than having to modify
all the clients. Is that feasible?
] [Thread Prev