Obtaining a TGT without unrestricted access to password.
David Woodhouse
dwmw2 at infradead.org
Thu Jun 16 03:59:18 EDT 2011
On Wed, 2011-06-15 at 18:28 -0700, Russ Allbery wrote:
> David Woodhouse <dwmw2 at infradead.org> writes:
>
> > I'm trying to implement automatic renewal of Kerberos tickets during the
> > lifetime of a user's session.
>
> > The user's password is learned at login time and stored within the
> > gnome-keyring dæmon.
>
> Why don't you just obtain renewable tickets and renew them instead of
> storing the password in memory?
Renewable tickets are all very well, but they're typically only
renewable for ten days or so. And they also need to be renewed every ten
hours, which isn't always possible on a sporadically-connected device. A
laptop or tablet might be turned off, or outside the corporate network,
for longer than that period of time every night.
> > My second thought was that perhaps the keyring could be asked for the
> > result of str2key on the password. That's not the actual *password*, at
> > least. But I suspect that even that is still too sensitive to be handing
> > it out?
>
> It's completely equivalent to the password.
Thanks. Stef asked the follow-up question that occurs to me: Is that
*really* equivalent, in that I can reverse it and then learn the
password and type it into other things?
Or just 'password-equivalent' in that you can always obtain a TGT for
the given principal with it, and not even for the same user in any
*other* Kerberos realms?
--
dwmw2
More information about the krbdev
mailing list