Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- From: Russ Allbery <rra stanford edu>
- To: David Woodhouse <dwmw2 infradead org>
- Cc: "Roland C. Dowdeswell" <elric imrryr org>, Guido G?nther <agx sigxcpu org>, gnome-keyring-list gnome org, krbdev mit edu, stefw collabora co uk
- Subject: Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- Date: Thu, 16 Jun 2011 08:10:24 -0700
David Woodhouse <dwmw2 infradead org> writes:
> Am I missing something here? The Windows default is a 10-hour ticket,
> renewable for 10 days. So you might manage 10 days at most, as long as
> you set a wakeup timer to wake the laptop up from its slumber in the
> middle of the night, connect to the VPN (without user interaction), and
> renew the ticket. Otherwise it'll be dead and unrenewable every morning?
I think the place where we're talking past each other here is that you're
assuming that the above are facts of nature that cannot be changed because
you're mostly dealing with users of Windows realms whose administrators
don't know what they're doing, whereas Roland and I are both KDC
administrators and know exactly what the lifetimes and renewable lifetimes
are for our realms and set them intentionally. :)
For example, our ticket lifetime is 25 hours and our renewable lifetime is
14 days. I actually want our users to have to re-enter their password
every 14 days, or rather, I want the person who stole their laptop to have
full use of their account for at most 14 days after the point at which
they stole it, even if they don't tell us about that.
Russ Allbery (rra stanford edu) <http://www.eyrie.org/~eagle/>
] [Thread Prev