Obtaining a TGT without unrestricted access to password.
Guido Günther
agx at sigxcpu.org
Thu Jun 16 02:44:51 EDT 2011
On Wed, Jun 15, 2011 at 06:28:55PM -0700, Russ Allbery wrote:
> David Woodhouse <dwmw2 at infradead.org> writes:
>
> > I'm trying to implement automatic renewal of Kerberos tickets during the
> > lifetime of a user's session.
>
> > The user's password is learned at login time and stored within the
> > gnome-keyring dæmon.
>
> Why don't you just obtain renewable tickets and renew them instead of
> storing the password in memory?
What krb5-auth-dialog is often used for is:
* auth offline (e.g. with cached password)
* do stuff
* fire up company vpn
* acquire Kerberos credential
* auth to smtp/imap/etc.
* kill vpn
* ...
I'm not sure if this is what David wants to achieve but if so couldn't
we just move the auth part of krb5-auth-dialog into gkr keeping the
notification parts and plugins of krb5-auth-dialog separate? We could
then use krb5_get_init_creds_password with our own prompter and use the
password if available.
Cheers,
-- Guido
More information about the krbdev
mailing list