Apps aquiring tickets

Sam Hartman hartmans at MIT.EDU
Wed May 7 13:04:28 EDT 2003


>>>>> "Alexandra" == Alexandra Ellwood <lxs at MIT.EDU> writes:

    >> People looking at this should consider the Kerberos login
    >> library architecture used by KFM and look at whether that
    >> architecture is appropriate for other platforms.
    >> 
    >> Decisions that KLL makes:
    >> 
    >> 1) The graphical prompting is done in the context of the
    >> application.  You could argue against this because it means any
    >> arbitrary application can prompt you for a password.

    Alexandra> This was true in Mac OS 9.  In Mac OS X, the
    Alexandra> application makes the request to prompt (as a side
    Alexandra> effect of trying to look up the default ccache), but
    Alexandra> the actual dialog is presented by the
    Alexandra> KerberosLoginServer, a separate process launched from
    Alexandra> inside the Kerberos framework.  This is similar to the
    Alexandra> behavior of the SecurityAgent which presents the
    Alexandra> administrator password dialog for Mac OS X's Security
    Alexandra> Services.

OK, I was trying to distinguish this from the Windows behavior where
you should really only be entering your password after hitting
ctrl-alt-del, and the process that asks you for your password is
long-running and has never been influenced by the user context.


The Mac behavior is very convenient for users, but there is no way for
a user to easily tell if the password dialogue is really presented by
the right process instead of something that looks like it.

    Alexandra> Mac laptop users often put their machines to sleep for
    Alexandra> periods longer than typical ticket lifetimes (eg:
    Alexandra> overnight).  Since these machines cannot renew their
    Alexandra> tickets while asleep, and tickets cannot be renewed
    Alexandra> once they have expired, the user needs to get new
    Alexandra> tickets when they un-sleep the machine.

I wonder how Windows deals with this.



More information about the Kerberos mailing list