Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- From: Luke Howard <lukeh padl com>
- To: Simo Sorce <simo redhat com>
- Cc: Russ Allbery <rra stanford edu>, guido pch mit edu, Günther <agx sigxcpu org>, gnome-keyring-list gnome org, krbdev mit edu, David Woodhouse <dwmw2 infradead org>, Stef Walter <stefw collabora co uk>
- Subject: Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- Date: Thu, 16 Jun 2011 15:19:49 +0000
AFAIK Windows caches the MD4 hash for NTLM, so it can always get rc4-hmac creds -- whether it does this I don't know.
-- Luke
On 16/06/2011, at 3:10 PM, Simo Sorce wrote:
> On Thu, 2011-06-16 at 15:49 +0100, David Woodhouse wrote:
>> AFAICT most Windows sites *don't* set a policy. They just use the
>> standard Windows default of 10-hour/10-day tickets — because it
>> doesn't
>> really make any significant difference to Windows clients, does it?
>
> They don't really need to because they can obtain a new ticket from
> scratch every time you unlock the screensaver (to which you give your
> password), which is what we do with sssd as well as the password goes
> down the pipe through pam.
>
> So the case where a 10h/10d policy is not enough is extremely rare.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> krbdev mailing list krbdev mit edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
--
Luke Howard / lukeh padl com
www.padl.com / www.lukehoward.com
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
