Obtaining a TGT without unrestricted access to password.

Stef Walter stefw at collabora.co.uk
Thu Jun 16 03:51:42 EDT 2011


On 06/16/2011 07:44 AM, Guido Günther wrote:
> I'm not sure if this is what David wants to achieve but if so couldn't
> we just move the auth part of krb5-auth-dialog into gkr keeping the
> notification parts and plugins of krb5-auth-dialog separate? We could
> then use krb5_get_init_creds_password with our own prompter and use the
> password if available.

Pretty much because I'd like to try (if at all possible) to keep
gnome-keyring as a password/secret/key-storage-daemon. Rather than a
contact-remote-hosts-and-get-involved-in-porotocols daemon.

At this point it's unclear if we can factor out the password
hashing/challenge-response stuff from kerberos and just put those
algorithms in the daemon. But it's worth trying to make it work. Hence
David's email.

Cheers,

Stef



More information about the krbdev mailing list