Apps aquiring tickets
Alexandra Ellwood
lxs at MIT.EDU
Wed May 7 12:55:20 EDT 2003
>People looking at this should consider the Kerberos login library
>architecture used by KFM and look at whether that architecture is
>appropriate for other platforms.
>
>Decisions that KLL makes:
>
>1) The graphical prompting is done in the context of the application.
> You could argue against this because it means any arbitrary
> application can prompt you for a password.
This was true in Mac OS 9. In Mac OS X, the application makes the
request to prompt (as a side effect of trying to look up the default
ccache), but the actual dialog is presented by the
KerberosLoginServer, a separate process launched from inside the
Kerberos framework. This is similar to the behavior of the
SecurityAgent which presents the administrator password dialog for
Mac OS X's Security Services.
>2) Library functions may attempt to interact with the terminal and get
> tickets in text mode.
This will no longer be true in the next major release of Mac OS X.
We found there were too many problems with the automatic prompting
interfering with curses-style terminal programs. A command line
client can still manually call into the KLL to prompt if necessary
(with KLAcquireInitialTickets()), but the library will no longer
automatically prompt.
>Note that MIT will continue to have to support KLL for KFM, so any
>significantly different architecture will be harder for us to accept.
>
>Personally I'm not yet convinced this problem is worth solving. I
>think the Windows approach of getting tickets at login and continually
>renewing them is appropriate.
There are a couple of common cases where automatic prompting really
helps Mac OS X users. I'm not sure how applicable these are to other
platforms:
Many Mac users have their own personal machine. The OS installer
encourages them to use Mac OS X's "automatic login", which results in
a single user machine that never displays the Mac OS X login dialog.
Unless the user stores their Kerberos password on the machine, when
the user reboots the machine, he or she will need new tickets.
Automatic software updates which need to reboot the machine usually
come out every couple months, so this happens reasonably frequently
even if the user never manually reboots their machine.
Mac laptop users often put their machines to sleep for periods longer
than typical ticket lifetimes (eg: overnight). Since these machines
cannot renew their tickets while asleep, and tickets cannot be
renewed once they have expired, the user needs to get new tickets
when they un-sleep the machine.
My two cents,
--lxs
--
-----------------------------------------------------------------------------
Alexandra Ellwood <lxs at mit.edu>
MIT Information Systems http://mit.edu/lxs/www/
-----------------------------------------------------------------------------
--
More information about the Kerberos
mailing list