Thoughts on long-lived credentials
Nicolas Williams
Nicolas.Williams at sun.com
Thu Jan 19 15:45:23 EST 2006
On Fri, Jan 20, 2006 at 07:06:00AM +1100, Luke Howard wrote:
> >Windows does this I think. In fact I seem to recall that for at
> >least some versions of Windows it doesn't even bother trying to renew
> >the tickets and just always uses the stored key.
>
> Unfortunately I never leave my Windows workstation unlocked for long
> enough to verify this. But, given the NT OWF is present in memory to
> support NTLM clients, it makes sense to use this for Kerberos too if
> rc4-hmac is supported. Maybe someone from Microsoft can confirm.
>
> (Still, I think in the end we don't want to implement this approach,
> for the reasons pointed out in my initial e-mail, and Doug's.)
It can be an option. If you're willing to type in a long-term password
on some keyboard, you might be willing to let the system cache the
long-term credential -- you might also not want it to, on the theory
that subsequent compromise of the system may compromise temporary
credentials but not long-term credentials. Such a trade-off decision
can be put in the hands of the administrator, with an appropriate
default.
Nico
--
More information about the Kerberos
mailing list