Apps aquiring tickets (was Re: gssapi/openssh)

Dr. Greg Wettstein greg at wind.enjellic.com
Mon May 5 09:38:57 EDT 2003


On May 2, 10:17pm, Ken Raeburn wrote:
} Subject: Re: Apps aquiring tickets (was Re: gssapi/openssh)

> jfh at cise.ufl.edu ("James F.Hranicky") writes:
> > Users of Kerberized apps have to "do something" when the TGT expires, why
> > not let them be prompted?

> I believe the Mac OS version of MIT Kerberos can do this -- but it's
> done by the Kerberos implementation, not by code in every
> application.  I think it would be a reasonable idea to make such a
> facility available on other platforms, but it shouldn't require
> changes to application code.

A credentials manager would certainly be a useful utility but I agree
with what Ken's sentiments seem to be that it should be part of
Kerberos itself.

More problematically it would seem that such a utility will need to be
specific not only to the OS but the operating environment as well.  At
the very minimum there would need to be at least three graphical
implementations and a generic text implementation.  The graphical
environments would be Windows, X and Macintosh.  To provide maximum
utility there would also need to a version which could prompt in text
mode over a tty device.

The problem may be somewhat easier since I anticipate most interest
would be in a graphical version.  I usually have 6-10 different text
mode displays open at any one time but I certainly don't have a
problem running kinit if an application tells me that I have an
outdated ticket.

It would seem that Java would be the language of choice for something
like this, it at least makes the graphical issues less of a problem.
Since 1.4.x also supports GSSAPI there is low-level support for
Kerberos credential management in at least the IBM and SUN
distributions.

I've actually thought about this some, not from the perspective of
re-prompting but from the viewpoint of initial ticket acquisition.
Since Hurderos is based on a strict identity and services
authorization model the actual representational identity of a user
bears no resemblance to their Kerberos principal.  The ticket
acquisition utility that I envision needs to do a directory access in
order to determine whether the user is authorized for the Kerberos
service and if so obtain the principal which is simply one of the
representational characteristics of the service.

So again, all thats needed is someone with some spare coding
cycles... :-)

> Ken

Greg

}-- End of excerpt from Ken Raeburn

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-4950            WWW: http://www.enjellic.com
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------

"One of the reporters asked if the could "see" the INTERNET worm.
They tried to explain that it wasn't something that you could actually
see but is was merely a program that was running in the background.
One of the reporters asked, 'What if you had a color monitor?'"
                                -- UNKNOWN


More information about the Kerberos mailing list