Obtaining a TGT without unrestricted access to password.
Douglas E. Engert
deengert at anl.gov
Fri Jun 17 14:03:32 EDT 2011
On 6/16/2011 2:51 AM, Stef Walter wrote:
> On 06/16/2011 07:44 AM, Guido Günther wrote:
>> I'm not sure if this is what David wants to achieve but if so couldn't
>> we just move the auth part of krb5-auth-dialog into gkr keeping the
>> notification parts and plugins of krb5-auth-dialog separate? We could
>> then use krb5_get_init_creds_password with our own prompter and use the
>> password if available.
>
> Pretty much because I'd like to try (if at all possible) to keep
> gnome-keyring as a password/secret/key-storage-daemon. Rather than a
> contact-remote-hosts-and-get-involved-in-porotocols daemon.
This attitude by developers of stashing long term secrets, is exactly
why sites want to impose OTP, smart card or other non-password based
authentication.
>
> At this point it's unclear if we can factor out the password
> hashing/challenge-response stuff from kerberos and just put those
> algorithms in the daemon. But it's worth trying to make it work. Hence
> David's email.
>
> Cheers,
>
> Stef
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list