[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: thoughts/comments on renewal/revocation/cleanup



>  Hmm.  That's a hard one.  In the current framework, I'd argue the "right
>  way" is to get the tokens and tickets twice.  Once in the authentication
>  phase, and again the session management phase, and to destroy the
>  tickets and tokens at the end of the authentication phase.  This is ugly
>  and inefficient, but I don't see a better way of doing things.  

Right now I do something like that. I get them in the auth phase, and stuff
them away for later in pam variables and destroy them. No matter what, though,
I can't figure out how to avoid the problem of ending up with them laying
around in some scenario... unless I use a cleanup function of some sort which
cheats badly. I may do that.

>  How would pam_krb4 get the necessary password to reauthenticate you?
>  If you're running X, I suppose it could throw up a dialog window, but in
>  general it's a bad idea to train users to type their password into
>  dialog boxes whenever they happen to pop up on their screen.

Yeah. This is the big thing which has prevented me from actually doing anything
about it. No nice way to do it, and even if there was, it's evil.

>  Summarily logging a user out without giving them time to cleanly save
>  their emacs buffers, etc., also seems to be a problem.

Well, the current implementation, enforced in telnetd, warns you at 2 minutes,
90 seconds, 1 minute, and 30 seconds, and then punts you. If I could figure out
how to do something similar it would remove yet another reason why we need our
own local telnetd. Of course we'd still need a Kerberized telnetd, but maybe
not our own.

-D



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []