Apps aquiring tickets (was Re: gssapi/openssh)

Douglas E. Engert deengert at anl.gov
Fri May 2 11:05:26 EDT 2003


You are asking for trouble if any application can ask the user to
enter their password at any time. They will, and will try all of
their passwords if they have too. Better to train them to entry it 
only specific times, like login, and be suspicious if any application
asks for their password.    


"James F.Hranicky" wrote:
> 
> On Wed, 30 Apr 2003 18:25:47 +0100
> Simon Wilkinson <sxw at warspite.inf.ed.ac.uk> wrote:
> 
> > No, it doesn't. Philosophically, I don't think that its the job of the
> > client to go out and get credentials, if none exist. Practically, doing
> > so would require the client to know about the underlying GSSAPI mechanism,
> > which at present it doesn't need to.
> 
> I understand this sentiment (especially with GSSAPI given its a layer that
> uses Kerberos, but isn't itself Kerberos), but I think that if the following
> were true it would be a boon for the user:
> 
>         1) applications could get a TGT for a given realm stored in a single
>            common place that other apps could use


Kerberos does this.

> 
>         2) the ticket cache could contain TGTs for multiple realms
> 
> Then you could simply "be" however many principals you want to be at a given
> time, and get prompted for re-authorization when necessary.
> 
> Perhaps 1) could be satified by "kinitd" that runs in the background and
> pops up a window when your TGT expires, or if your at a terminal, runs
> in the background and spits out a message saying "run kinit for this realm".
> However, "kinitd" probably wouldn't be tied to the apps in any way, e.g.,
> receiving notification from an app when the app finds the TGT is expired.
> 
> 2) would probably require code mods to Kerberos, though I'd think that would
> be very useful.
> 
> ----------------------------------------------------------------------
> | Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
> | E314D CSE Building                            Phone (352) 392-1499 |
> | jfh at cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
> ----------------------------------------------------------------------
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list