Re: gnome-keyring Obtaining a TGT without unrestricted access to password.



On Wed, Jun 15, 2011 at 06:28:55PM -0700, Russ Allbery wrote:
> David Woodhouse <dwmw2 infradead org> writes:
> 
> > I'm trying to implement automatic renewal of Kerberos tickets during the
> > lifetime of a user's session.
> 
> > The user's password is learned at login time and stored within the
> > gnome-keyring dæmon.
> 
> Why don't you just obtain renewable tickets and renew them instead of
> storing the password in memory?

What krb5-auth-dialog is often used for is:

* auth offline (e.g. with cached password)
* do stuff
* fire up company vpn 
* acquire Kerberos credential
* auth to smtp/imap/etc.
* kill vpn
* ...

I'm not sure if this is what David wants to achieve but if so couldn't
we just move the auth part of krb5-auth-dialog into gkr keeping the
notification parts and plugins of krb5-auth-dialog separate? We could
then use krb5_get_init_creds_password with our own prompter and use the
password if available.
Cheers,
 -- Guido


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]