Apps aquiring tickets

Alexandra Ellwood lxs at MIT.EDU
Wed May 7 12:55:20 EDT 2003


>People looking at this should consider the Kerberos login library
>architecture used by KFM and look at whether that architecture is
>appropriate for other platforms.
>
>Decisions that KLL makes:
>
>1) The graphical prompting is done in the context of the application.
>    You could argue against this because it means any arbitrary
>    application can prompt you for a password.

This was true in Mac OS 9.  In Mac OS X, the application makes the 
request to prompt (as a side effect of trying to look up the default 
ccache), but the actual dialog is presented by the 
KerberosLoginServer, a separate process launched from inside the 
Kerberos framework.  This is similar to the behavior of the 
SecurityAgent which presents the administrator password dialog for 
Mac OS X's Security Services.

>2) Library functions may attempt to interact with the terminal and get
>     tickets in text mode.

This will no longer be true in the next major release of Mac OS X. 
We found there were too many problems with the automatic prompting 
interfering with curses-style terminal programs.  A command line 
client can still manually call into the KLL to prompt if necessary 
(with KLAcquireInitialTickets()), but the library will no longer 
automatically prompt.

>Note that MIT will continue to have to support KLL for KFM, so any
>significantly different architecture will be harder for us to accept.
>
>Personally I'm not yet convinced this problem is worth solving.  I
>think the Windows approach of getting tickets at login and continually
>renewing them is appropriate.

There are a couple of common cases where automatic prompting really 
helps Mac OS X users.  I'm not sure how applicable these are to other 
platforms:

Many Mac users have their own personal machine.  The OS installer 
encourages them to use Mac OS X's "automatic login", which results in 
a single user machine that never displays the Mac OS X login dialog. 
Unless the user stores their Kerberos password on the machine, when 
the user reboots the machine, he or she will need new tickets. 
Automatic software updates which need to reboot the machine usually 
come out every couple months, so this happens reasonably frequently 
even if the user never manually reboots their machine.

Mac laptop users often put their machines to sleep for periods longer 
than typical ticket lifetimes (eg: overnight).  Since these machines 
cannot renew their tickets while asleep, and tickets cannot be 
renewed once they have expired, the user needs to get new tickets 
when they un-sleep the machine.


My two cents,

--lxs
-- 
-----------------------------------------------------------------------------
Alexandra Ellwood                                               <lxs at mit.edu>
MIT Information Systems                               http://mit.edu/lxs/www/
-----------------------------------------------------------------------------
--


More information about the Kerberos mailing list