client side password store best practices?

Chris Hecker checker at d6.com
Tue Aug 9 19:05:05 EDT 2011


I never got a reply to this (presumably it was lost in the flurry of 
other mails I send! :), but it seems like storing a keytab is the best 
thing to do for this situation.

However, I've hit a snag:  when creating a keytab on the client using 
the code from ktutil as a reference, how do I know what kvno to use?  In 
other words, the client might have changed his or her password multiple 
times through my web interface, so I have no way to know what the latest 
kvno for the key should be.  Do I have to do an init_creds_password and 
get the key/kvno/etc from the cc, rather than creating it myself?  That 
greatly complicates things, since I'm doing all KDC communication 
asynchronously on another thread...my login state machine is getting a 
little crazy...

Hmm, wait, can I even do that?  The kvno's in the ccache are from the 
ticket's server's key...yeah, I just tested this...

Okay, from looking at kvno.c, if I get creds with myself as the server, 
then that will have the kvno of my latest key.  But, I have -allow_svr 
set on clients, so I guess I have to do u2u creds to myself...argh, no, 
I just tested this, and the kvno is 0 for a u2u ticket.

What can I do to get the latest kvno for a client with -allow_svr set, 
or more generally, how can I create a keytab on the client with the 
latest kvno?  I really don't want to write another service to fetch the 
kvno.

Chris



On 2011/07/24 02:33, Chris Hecker wrote:
>
> This is my last mail tonight, I promise!
>
> Okay, so I know the best answer to "What's the best way to store the
> user's password on his or her machine?" is "Don't!"
>
> However, the reality of my industry is security is somewhat important,
> but usability is very important, so I need to find the right balance.
>
> Basically, the goal is to have somebody click on the game's icon and be
> playing immediately, and they should only have to enter the password
> once unless they decide (or I force them) to change it.
>
> It seems like the best way to do this is store the password on the
> user's machine. Since you're not supposed to store passwords in
> plaintext, it seems the best way to store the password is to use a
> keytab to store the key, since it's already salted and hashed and ready
> to be used by krb5_get_init_creds_keytab and I don't have to do any work.
>
> The only other alternative I could think of was to use long-term
> renewable tickets, but that requires the user to actually run the game
> every day to renew tickets if I have 24h lifetimes on the tickets, which
> is a non-starter. I don't want to have longer than 24h tickets since
> short-lived tickets seem to be core to the Kerberos security model.
>
> Storing the keytab, plus figuring out how to disable accounts at the KDC
> seems like it's the right mix of security, user control, and
> accessibility. If the client's machine is hacked, the bad guys only get
> the one key, and I disable the acount.
>
> Thoughts? Am I missing a better solution?
>
> Thanks,
> Chris
>
>



More information about the Kerberos mailing list