Obtaining a TGT without unrestricted access to password.
Russ Allbery
rra at stanford.edu
Wed Jun 15 21:28:55 EDT 2011
David Woodhouse <dwmw2 at infradead.org> writes:
> I'm trying to implement automatic renewal of Kerberos tickets during the
> lifetime of a user's session.
> The user's password is learned at login time and stored within the
> gnome-keyring dæmon.
Why don't you just obtain renewable tickets and renew them instead of
storing the password in memory?
> My second thought was that perhaps the keyring could be asked for the
> result of str2key on the password. That's not the actual *password*, at
> least. But I suspect that even that is still too sensitive to be handing
> it out?
It's completely equivalent to the password.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list