Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5406
| From | Nico Williams <nico@cryptonector.com> |
|---|---|
| Newsgroups | comp.protocols.kerberos |
| Subject | Re: IAKERB Starter Credentials Solution |
| Date | 2025-04-26 19:46 -0500 |
| Organization | TNet Consulting |
| Message-ID | <mailman.189.1745714784.2322.kerberos@mit.edu> (permalink) |
| References | (1 earlier) <aA0Lm7Ln7IU3t22Z@ubby> <CAGMFw4imyZmEsWkX0KRqkHyPsCZiiKad1dDcP1hwNxzcFV4eRg@mail.gmail.com> <aA1X65FhLnZ+ss6I@ubby> <CAGMFw4gHvZ9nRLx1Q=sWCXagHXEi_XJvMkczZK2hy62Vq9aKzg@mail.gmail.com> <aA1+VaGCHTYgTTjK@ubby> |
On Sat, Apr 26, 2025 at 07:32:35PM -0400, Michael B Allen wrote: > Ideally there should be some unix socket service that just processes gss > tokens. That's gssd, variously named. > Being a separate process it can do crypto without exposing base keys and > even store the plaintext password (encrypted of course) used to login to > the device and achieve true SSO. > It would provide persistence so that transient processes can get creds > without prompting. > It would normalize the prompting. If you want apps not to see even passwords, then you can only do this by having a visual desktop and dialog pop-ups _or_ (and/or) the OS can use the login and screen unlock interactions + caching. > Presumably no such service exists so what can I do? No, it does. It's called gssd, or rpc.gssd, etc. > You seem to be suggesting that each of potentially multiple applications > should be able to trap on an error, prompt for initial credentials (in > whatever way) and then do an a-typical gss_acquire_cred_with_password with > just the IAKERB mech. No, I'm suggesting that only the login screen, screen unlock screen, and RDP-like apps should bother with interaction for initial credential acquisition. Nico --
Back to comp.protocols.kerberos | Previous | Next | Find similar
Re: IAKERB Starter Credentials Solution Nico Williams <nico@cryptonector.com> - 2025-04-26 19:46 -0500
csiph-web