IAKERB Starter Credentials Solution
Nico Williams
nico at cryptonector.com
Sat Apr 26 20:46:13 EDT 2025
On Sat, Apr 26, 2025 at 07:32:35PM -0400, Michael B Allen wrote:
> Ideally there should be some unix socket service that just processes gss
> tokens.
That's gssd, variously named.
> Being a separate process it can do crypto without exposing base keys and
> even store the plaintext password (encrypted of course) used to login to
> the device and achieve true SSO.
> It would provide persistence so that transient processes can get creds
> without prompting.
> It would normalize the prompting.
If you want apps not to see even passwords, then you can only do this by
having a visual desktop and dialog pop-ups _or_ (and/or) the OS can
use the login and screen unlock interactions + caching.
> Presumably no such service exists so what can I do?
No, it does. It's called gssd, or rpc.gssd, etc.
> You seem to be suggesting that each of potentially multiple applications
> should be able to trap on an error, prompt for initial credentials (in
> whatever way) and then do an a-typical gss_acquire_cred_with_password with
> just the IAKERB mech.
No, I'm suggesting that only the login screen, screen unlock screen, and
RDP-like apps should bother with interaction for initial credential
acquisition.
Nico
--
More information about the Kerberos
mailing list