Apps aquiring tickets (was Re: gssapi/openssh)
James F.Hranicky
jfh at cise.ufl.edu
Fri May 2 10:24:33 EDT 2003
On Wed, 30 Apr 2003 18:25:47 +0100
Simon Wilkinson <sxw at warspite.inf.ed.ac.uk> wrote:
> No, it doesn't. Philosophically, I don't think that its the job of the
> client to go out and get credentials, if none exist. Practically, doing
> so would require the client to know about the underlying GSSAPI mechanism,
> which at present it doesn't need to.
I understand this sentiment (especially with GSSAPI given its a layer that
uses Kerberos, but isn't itself Kerberos), but I think that if the following
were true it would be a boon for the user:
1) applications could get a TGT for a given realm stored in a single
common place that other apps could use
2) the ticket cache could contain TGTs for multiple realms
Then you could simply "be" however many principals you want to be at a given
time, and get prompted for re-authorization when necessary.
Perhaps 1) could be satified by "kinitd" that runs in the background and
pops up a window when your TGT expires, or if your at a terminal, runs
in the background and spits out a message saying "run kinit for this realm".
However, "kinitd" probably wouldn't be tied to the apps in any way, e.g.,
receiving notification from an app when the app finds the TGT is expired.
2) would probably require code mods to Kerberos, though I'd think that would
be very useful.
----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------
More information about the Kerberos
mailing list