Re: gnome-keyring Obtaining a TGT without unrestricted access to password.

[Guido Günther <agx sigxcpu org>]

On Thu, Jun 16, 2011 at 11:11:25AM +0100, David Woodhouse wrote:
> (Digression)
> 
> On Thu, 2011-06-16 at 08:44 +0200, Guido Günther wrote:
> > * fire up company vpn 
> > * acquire Kerberos credential
> > * auth to smtp/imap/etc.
> 
> We all realise how much this user experience sucks, right?
Sure. That's exaclty why I added DBus API you're using in evo. This
could certainly be improved (there's no async API, etc.).

> The user shouldn't have to do those steps manually.
> 
> When the mailer wants to talk to the company's mail server, it should
> tell the connection manager. If you aren't currently on the company
> network, that will automatically trigger a VPN connection attempt. The
> user might be asked to authenticate to the VPN, so it may not be
> *entirely* transparent, but they certainly shouldn't have to think "oh,
> I am not connected so I will have to do that first otherwise my mail
> program will just be broken".
> 
> It's the same for authentication. The user shouldn't have to *manually*
> check whether their TGT is still valid and get a new one before running
> the mailer. If the mail program discovers that the TGT has expired, it
> should just go poke krb5-auth-dialog to get you a new one!
>
> We fixed this in Evolution a while back; checking for the
> KRB5KRB_AP_ERR_TKT_EXPIRED or KRB5KDC_ERR_NEVER_VALID errors and poking
> krb5-auth-dialog manually:
> http://git.gnome.org/browse/evolution-data-server/commit/?id=6c6dfcc9
> 
> But that only solves the problem for Evolution, and not for any other
> clients. It would be nice if perhaps we could hook into libkrb5 itself,
> so we can do that 'poke' in *one* place, rather than having to modify
> all the clients. Is that feasible?
That sound great. I'd be happy to drop the auth code from
krb5-auth-dialog and only leave it aroudn for notifications and the
plugins (e.g. for afs).
Cheers,
 -- Guido

> 
> -- 
> dwmw2
>