Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- From: David Woodhouse <dwmw2 infradead org>
- To: Russ Allbery <rra stanford edu>
- Cc: guido pch mit edu, Günther <agx sigxcpu org>, Stef Walter <stefw collabora co uk>, krbdev mit edu, gnome-keyring-list gnome org
- Subject: Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- Date: Thu, 16 Jun 2011 15:49:16 +0100
On Thu, 2011-06-16 at 06:56 -0700, Russ Allbery wrote:
>
> The result of a Kerberos authentication is a Kerberos
> ticket-granting-ticket, which has a lifetime and a renewable lifetime. As
> long as you do so within the lifetime window, you can perform another
> authentication to the KDC using the ticket-granting-ticket,
For example:
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: dwoodhou GER CORP INTEL COM
Valid starting Expires Service principal
06/16/11 10:47:56 06/16/11 20:48:00 krbtgt/GER CORP INTEL COM GER CORP INTEL COM
renew until 06/23/11 10:47:56
$ kinit -R # Look ma! No password!
$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: dwoodhou GER CORP INTEL COM
Valid starting Expires Service principal
06/16/11 15:39:39 06/17/11 01:39:43 krbtgt/GER CORP INTEL COM GER CORP INTEL COM
renew until 06/23/11 10:47:56
> So it's generally superior to storing the user's password in memory in
> every respect except when the user intentionally wants to not follow
> site policy as expressed in the renewable ticket lifetime.
> (Unfortunately, that last case is common, in part because a lot of
> sites don't realize they *have* set a policy.)
AFAICT most Windows sites *don't* set a policy. They just use the
standard Windows default of 10-hour/10-day tickets — because it doesn't
really make any significant difference to Windows clients, does it?
I only boot a Windows virtual machine occasionally these days, so I
don't remember the last time I had it running for more than 10 days at a
time. But I'm fairly sure it didn't ask for the password again after
that time was up. And I'm fairly sure it didn't demand to be connected
to the corporate network at least once every ten hours, so that it could
prevent its ticket from expiring. It just gets a new one when it needs
to.
Windows clients certainly don't force their users to think "oh, I'm
about to do something that's going to need to authenticate to the
network, so I'd best run kinit first". It "just works" there, obtaining
a new TGT when necessary and asking the user for their password only
when it doesn't actually match the one they logged in with.
--
dwmw2
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]