[Freeipa-devel] Thesis - Gnome Keyring Key Storage in Vault/KRA
Simo Sorce
ssorce at redhat.com
Mon Oct 13 17:39:51 UTC 2014
On Mon, 13 Oct 2014 14:15:10 +0200
Sumit Bose <sbose at redhat.com> wrote:
> What about using a new authorization data type for the key. Then only
> the KDCs on the IPA servers need access to the key. The authorization
> data can be added to the service ticket of the host the user logs
> into. Since SSSD does ticket validation by default this service
> ticket would be available for password based logins as well.
The KDC has no way to know what is the host the user is logging on, so
it would end up sending this data to any host the user logs into
(think SSH).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list