Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- From: Nico Williams <nico cryptonector com>
- To: "Roland C. Dowdeswell" <elric imrryr org>
- Cc: Russ Allbery <rra stanford edu>, Guido G?nther <agx sigxcpu org>, gnome-keyring-list gnome org, krbdev mit edu, David Woodhouse <dwmw2 infradead org>, stefw collabora co uk
- Subject: Re: gnome-keyring Obtaining a TGT without unrestricted access to password.
- Date: Thu, 16 Jun 2011 11:07:16 -0500
On Thu, Jun 16, 2011 at 10:49 AM, Roland C. Dowdeswell <elric imrryr org> wrote:
> How about the prevalence of userland programs that presume that
> the presentation of a user's passwd indicates that the user is
> actually sitting in front of the keyboard? There are many programs
> that will intentionally reprompt for a user's passwd to perform
> administrative or high risk activities. Examples that come to mind
> are kadmin, kpasswd, sudo. This model is also used in enterprises
> for high risk business transactions (frequently with pressure from
> regulators).
>
> How does one square away the storing of a passwd in memory against
> this existing prevalent use case? Other than simply transitioning
> to OTP in order to defeat it?
You either ignore this problem or you use OTP or PKINIT with
non-extractable private keys stored in smartcards.
Nico
--
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
