Obtaining a TGT without unrestricted access to password.
JC Ferguson
jc at f5.com
Wed Jun 15 21:35:18 EDT 2011
I agree with Russ - renewable tickets is the way to go.
JC
-----Original Message-----
From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf Of Russ Allbery
Sent: Wednesday, June 15, 2011 21:29
To: David Woodhouse
Cc: Guido Günther; stefw at collabora.co.uk; krbdev at mit.edu; gnome-keyring-list at gnome.org
Subject: Re: Obtaining a TGT without unrestricted access to password.
David Woodhouse <dwmw2 at infradead.org> writes:
> I'm trying to implement automatic renewal of Kerberos tickets during
> the lifetime of a user's session.
> The user's password is learned at login time and stored within the
> gnome-keyring dæmon.
Why don't you just obtain renewable tickets and renew them instead of storing the password in memory?
> My second thought was that perhaps the keyring could be asked for the
> result of str2key on the password. That's not the actual *password*,
> at least. But I suspect that even that is still too sensitive to be
> handing it out?
It's completely equivalent to the password.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev at mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
More information about the krbdev
mailing list