Obtaining a TGT without unrestricted access to password.
David Woodhouse
dwmw2 at infradead.org
Thu Jun 16 06:11:25 EDT 2011
(Digression)
On Thu, 2011-06-16 at 08:44 +0200, Guido Günther wrote:
> * fire up company vpn
> * acquire Kerberos credential
> * auth to smtp/imap/etc.
We all realise how much this user experience sucks, right?
The user shouldn't have to do those steps manually.
When the mailer wants to talk to the company's mail server, it should
tell the connection manager. If you aren't currently on the company
network, that will automatically trigger a VPN connection attempt. The
user might be asked to authenticate to the VPN, so it may not be
*entirely* transparent, but they certainly shouldn't have to think "oh,
I am not connected so I will have to do that first otherwise my mail
program will just be broken".
It's the same for authentication. The user shouldn't have to *manually*
check whether their TGT is still valid and get a new one before running
the mailer. If the mail program discovers that the TGT has expired, it
should just go poke krb5-auth-dialog to get you a new one!
We fixed this in Evolution a while back; checking for the
KRB5KRB_AP_ERR_TKT_EXPIRED or KRB5KDC_ERR_NEVER_VALID errors and poking
krb5-auth-dialog manually:
http://git.gnome.org/browse/evolution-data-server/commit/?id=6c6dfcc9
But that only solves the problem for Evolution, and not for any other
clients. It would be nice if perhaps we could hook into libkrb5 itself,
so we can do that 'poke' in *one* place, rather than having to modify
all the clients. Is that feasible?
--
dwmw2
More information about the krbdev
mailing list