IAKERB Starter Credentials Solution

Nico Williams nico at cryptonector.com
Sat Apr 26 20:46:13 EDT 2025


On Sat, Apr 26, 2025 at 07:32:35PM -0400, Michael B Allen wrote:
> Ideally there should be some unix socket service that just processes gss
> tokens.

That's gssd, variously named.

> Being a separate process it can do crypto without exposing base keys and
> even store the plaintext password (encrypted of course) used to login to
> the device and achieve true SSO.
> It would provide persistence so that transient processes can get creds
> without prompting.
> It would normalize the prompting.

If you want apps not to see even passwords, then you can only do this by
having a visual desktop and dialog pop-ups _or_ (and/or) the OS can
use the login and screen unlock interactions + caching.

> Presumably no such service exists so what can I do?

No, it does.  It's called gssd, or rpc.gssd, etc.

> You seem to be suggesting that each of potentially multiple applications
> should be able to trap on an error, prompt for initial credentials (in
> whatever way) and then do an a-typical gss_acquire_cred_with_password with
> just the IAKERB mech.

No, I'm suggesting that only the login screen, screen unlock screen, and
RDP-like apps should bother with interaction for initial credential
acquisition.

Nico
-- 


More information about the Kerberos mailing list