Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- From: Russ Allbery <rra stanford edu>
- To: Simo Sorce <simo redhat com>
- Cc: Guido G?nther <agx sigxcpu org>, David Woodhouse <dwmw2 infradead org>, gnome-keyring-list gnome org, krbdev mit edu, stefw collabora co uk
- Subject: Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- Date: Thu, 16 Jun 2011 08:23:59 -0700
Simo Sorce <simo redhat com> writes:
> Purpose that is defeated if someone stores the password in clear text,
> in a way that the user can query it, or not in kernel protected memory
> ... like gnome-keyring does ...
Indeed. Which is why in the long run we're looking at other preauth
mechanisms to require things like multifactor authentication, which will
continue to work well with the desired behavior if one uses renewable
tickets, but which will completely break (intentionally) what's otherwise
being discussed here....
Russ Allbery (rra stanford edu) <http://www.eyrie.org/~eagle/>
] [Thread Prev