gnome-keyring Obtaining a TGT without unrestricted access to password.
Nico Williams
nico at cryptonector.com
Thu Jun 16 12:07:16 EDT 2011
On Thu, Jun 16, 2011 at 10:49 AM, Roland C. Dowdeswell <elric at imrryr.org> wrote:
> How about the prevalence of userland programs that presume that
> the presentation of a user's passwd indicates that the user is
> actually sitting in front of the keyboard? There are many programs
> that will intentionally reprompt for a user's passwd to perform
> administrative or high risk activities. Examples that come to mind
> are kadmin, kpasswd, sudo. This model is also used in enterprises
> for high risk business transactions (frequently with pressure from
> regulators).
>
> How does one square away the storing of a passwd in memory against
> this existing prevalent use case? Other than simply transitioning
> to OTP in order to defeat it?
You either ignore this problem or you use OTP or PKINIT with
non-extractable private keys stored in smartcards.
Nico
--
More information about the krbdev
mailing list