Re: gnome-keyring Obtaining a TGT without unrestricted access to password.

[Russ Allbery <rra stanford edu>]

Stef Walter <stefw collabora co uk> writes:
> On 06/16/2011 02:28 AM, Russ Allbery wrote:

>> Why don't you just obtain renewable tickets and renew them instead of
>> storing the password in memory?

> That sounds interesting. Do you have pointers to how this works? I'm not
> that familiar with Kerberos, so please bear with me :)

The result of a Kerberos authentication is a Kerberos
ticket-granting-ticket, which has a lifetime and a renewable lifetime.  As
long as you do so within the lifetime window, you can perform another
authentication to the KDC using the ticket-granting-ticket, without the
password, and ask for a renewed ticket, which will hand you back a new
ticket with a longer lifetime, but with a renewable lifetime that still
expires at the same time as the first one.

In other words, renewing the ticket-granting-ticket can be done without
knowledge of the password and is just like reusing the password, except:

1. The total length of time that a person can renew their credentials
   without demonstrating knowledge of the key is under the control of the
   local site KDC administrator, where you probably want it to be.

2. The local site KDC administrator can intervene if necessary and cause
   the KDC to refuse to renew tickets for that user (if, for example,
   there's some reason to believe the renewable ticket was compromised).

So it's generally superior to storing the user's password in memory in
every respect except when the user intentionally wants to not follow site
policy as expressed in the renewable ticket lifetime.  (Unfortunately,
that last case is common, in part because a lot of sites don't realize
they *have* set a policy.)

-- 
Russ Allbery (rra stanford edu)             <http://www.eyrie.org/~eagle/>