gnome-keyring Obtaining a TGT without unrestricted access to password.

Roland C. Dowdeswell elric at imrryr.org
Thu Jun 16 11:49:32 EDT 2011


On Thu, Jun 16, 2011 at 08:10:24AM -0700, Russ Allbery wrote:
>

> David Woodhouse <dwmw2 at infradead.org> writes:
> 
> > Am I missing something here? The Windows default is a 10-hour ticket,
> > renewable for 10 days. So you might manage 10 days at most, as long as
> > you set a wakeup timer to wake the laptop up from its slumber in the
> > middle of the night, connect to the VPN (without user interaction), and
> > renew the ticket. Otherwise it'll be dead and unrenewable every morning?
> 
> I think the place where we're talking past each other here is that you're
> assuming that the above are facts of nature that cannot be changed because
> you're mostly dealing with users of Windows realms whose administrators
> don't know what they're doing, whereas Roland and I are both KDC
> administrators and know exactly what the lifetimes and renewable lifetimes
> are for our realms and set them intentionally.  :)
> 
> For example, our ticket lifetime is 25 hours and our renewable lifetime is
> 14 days.  I actually want our users to have to re-enter their password
> every 14 days, or rather, I want the person who stole their laptop to have
> full use of their account for at most 14 days after the point at which
> they stole it, even if they don't tell us about that.

How about the prevalence of userland programs that presume that
the presentation of a user's passwd indicates that the user is
actually sitting in front of the keyboard?  There are many programs
that will intentionally reprompt for a user's passwd to perform
administrative or high risk activities.  Examples that come to mind
are kadmin, kpasswd, sudo.  This model is also used in enterprises
for high risk business transactions (frequently with pressure from
regulators).

How does one square away the storing of a passwd in memory against
this existing prevalent use case?  Other than simply transitioning
to OTP in order to defeat it?

--
    Roland Dowdeswell                      http://Imrryr.ORG/~elric/



More information about the krbdev mailing list