[Freeipa-users] Locked Screen saver & Renew Ticket window.

Mon Sep 29 13:01:20 UTC 2008

Stephen Gallagher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Simo Sorce wrote:
>   
>> On Sun, 2008-09-28 at 19:12 -0400, Fred Wittekind wrote:
>>     
>>> Simo Sorce wrote:
>>>       
>>>> On Sat, 2008-09-27 at 19:46 -0400, Fred Wittekind wrote:
>>>>   
>>>>         
>>>>> If you've been away from a long time, and the screen is both locked, and 
>>>>> the ticket has expired triggering a renew ticket window, you have to 
>>>>> your password twice in close succession, both validated by the IPA 
>>>>> directly or indirectly.
>>>>>
>>>>> I was wondering if this should be altered, so that when the screen saver 
>>>>> password window sends a auth request to validate the password entered to 
>>>>> unlock the screen, if the ticket also needs renewed it should do so, and 
>>>>> make the renew ticket window go away.
>>>>>     
>>>>>           
>>>> Yes the screen-saver should trigger correct renewal of credentials.
>>>> Are you sure that does not happen ? I think the renew window does not go
>>>> away even if the screen-saver does it right now as I think it does not
>>>> do any polling to monitor if the situation is changed once it display
>>>> the prompt :/
>>>>   
>>>>         
>>> I'm not actually sure that the screen saver doesn't renew the 
>>> credentials.  I'll check next time it happens.  Could / should the renew 
>>> window be modified to poll?
>>>       
>> Yeah it would be nice if it were smarter indeed.
>>
>> Simo.
>>
>>     
>
> Well, the reason that the screensaver requires two password entries is
> that it needs to support traditional kerberos authentication schemes
> where it is fully possible to have a separate password for login and for
> kerberos authentication. Furthermore, we need to be able to support the
> case where a user performs the initial logon using a different
> authentication mechanism.
>
>   
I'm not suggesting a change to the screensaver itself.  Just a 
suggesting that the program that brings up the renew windows could be 
made smarter.  (Making it detect if the ticket was renewed by another 
means.)   I did verify that the screensaver is in fact renewing the 
ticket for my setup.
> In my case, I have the fingerprint scanner set up to act as a shortcut
> to waking my computer up from the screensaver. This biometric signature
> is obviously not going to function the same as the kerberos password, so
> when I unlock the screensaver and it is time for kerberos ticket
> renewal, I still need to enter my kerberos password.
>   
And making the renew ticket window smart enough to detect if something 
else renewed the ticket would not effect this case, since it wouldn't 
detect a ticket renewal from your fingerprint scanner auth.
> - --
>
> - --------------------
> Stephen Gallagher
> RHCE 804006346421761
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkjgvDAACgkQc7MaxVic+2oasgCfSQyyeSWsO7wABC67GEQV8YdQ
> ItwAn1fgXhKVigDSKRNd0ieBRjBlfsQb
> =Ee0i
> -----END PGP SIGNATURE-----
>
>