Keytab-based initiator creds design

[Simo Sorce]

On Thu, 2012-06-07 at 15:07 -0700, Russ Allbery wrote:
> Simo Sorce <simo at redhat.com> writes:
> 
> > Well I am pushing for getting you a ccache at login time, my idea is
> > that the user shouldn't even know nor care that they have a ccache and
> > not have to learn to use kinit. Of course admins need to, but I would
> > expect them to know what they are doing :)
> 
> This works up until the point when your ticket cache expires.  Refreshing
> an expired ticket cache is the primary reason why our users run kinit.
> (And renewable tickets reduce this problem but don't eliminate it; wanting
> to stay logged in longer than a reasonable renewable ticket lifetime is
> common.)  If you have a GUI session, you can spawn some local helper that
> does kinit for the user, but if they're logged in remotely, you can't
> really do that.

SSSD can do that for you (renew), and we could technically even allow it
to simply store your password (if you are using simple password-based
auth and refresh for you).
However kinit can be used, I do not want to 'prevent' using it, just
remove unnecessary reasons to use it.

> The other reason why our users run kinit is because they have OpenSSH
> clients that can do GSS-API authentication but can't (or aren't configured
> to) do ticket delegation, which is depressingly common

yep.

> > The problem with multiple ccache per sessions are things like NFS or
> > CIFS. Which ccache should they pick for file access when you have
> > multiple ones ? How do they find them ?
> 
> Yeah, that's the conversation that Nico and I were just having.  :)

Sorry, I saw all those other posts coming in only after I replied :)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York