[Freeipa-users] Locked Screen saver & Renew Ticket window.

Stephen Gallagher sgallagh at redhat.com
Mon Sep 29 11:29:55 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simo Sorce wrote:
> On Sun, 2008-09-28 at 19:12 -0400, Fred Wittekind wrote:
>> Simo Sorce wrote:
>>> On Sat, 2008-09-27 at 19:46 -0400, Fred Wittekind wrote:
>>>   
>>>> If you've been away from a long time, and the screen is both locked, and 
>>>> the ticket has expired triggering a renew ticket window, you have to 
>>>> your password twice in close succession, both validated by the IPA 
>>>> directly or indirectly.
>>>>
>>>> I was wondering if this should be altered, so that when the screen saver 
>>>> password window sends a auth request to validate the password entered to 
>>>> unlock the screen, if the ticket also needs renewed it should do so, and 
>>>> make the renew ticket window go away.
>>>>     
>>> Yes the screen-saver should trigger correct renewal of credentials.
>>> Are you sure that does not happen ? I think the renew window does not go
>>> away even if the screen-saver does it right now as I think it does not
>>> do any polling to monitor if the situation is changed once it display
>>> the prompt :/
>>>   
>> I'm not actually sure that the screen saver doesn't renew the 
>> credentials.  I'll check next time it happens.  Could / should the renew 
>> window be modified to poll?
> 
> Yeah it would be nice if it were smarter indeed.
> 
> Simo.
> 

Well, the reason that the screensaver requires two password entries is
that it needs to support traditional kerberos authentication schemes
where it is fully possible to have a separate password for login and for
kerberos authentication. Furthermore, we need to be able to support the
case where a user performs the initial logon using a different
authentication mechanism.

In my case, I have the fingerprint scanner set up to act as a shortcut
to waking my computer up from the screensaver. This biometric signature
is obviously not going to function the same as the kerberos password, so
when I unlock the screensaver and it is time for kerberos ticket
renewal, I still need to enter my kerberos password.

- --

- --------------------
Stephen Gallagher
RHCE 804006346421761
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjgvDAACgkQc7MaxVic+2oasgCfSQyyeSWsO7wABC67GEQV8YdQ
ItwAn1fgXhKVigDSKRNd0ieBRjBlfsQb
=Ee0i
-----END PGP SIGNATURE-----

More information about the Freeipa-users mailing list