[Freeipa-users] Locked Screen saver & Renew Ticket window.
Fred Wittekind
rom at twister.dyndns.org
Mon Sep 29 13:01:20 UTC 2008
Stephen Gallagher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Simo Sorce wrote:
>
>> On Sun, 2008-09-28 at 19:12 -0400, Fred Wittekind wrote:
>>
>>> Simo Sorce wrote:
>>>
>>>> On Sat, 2008-09-27 at 19:46 -0400, Fred Wittekind wrote:
>>>>
>>>>
>>>>> If you've been away from a long time, and the screen is both locked, and
>>>>> the ticket has expired triggering a renew ticket window, you have to
>>>>> your password twice in close succession, both validated by the IPA
>>>>> directly or indirectly.
>>>>>
>>>>> I was wondering if this should be altered, so that when the screen saver
>>>>> password window sends a auth request to validate the password entered to
>>>>> unlock the screen, if the ticket also needs renewed it should do so, and
>>>>> make the renew ticket window go away.
>>>>>
>>>>>
>>>> Yes the screen-saver should trigger correct renewal of credentials.
>>>> Are you sure that does not happen ? I think the renew window does not go
>>>> away even if the screen-saver does it right now as I think it does not
>>>> do any polling to monitor if the situation is changed once it display
>>>> the prompt :/
>>>>
>>>>
>>> I'm not actually sure that the screen saver doesn't renew the
>>> credentials. I'll check next time it happens. Could / should the renew
>>> window be modified to poll?
>>>
>> Yeah it would be nice if it were smarter indeed.
>>
>> Simo.
>>
>>
>
> Well, the reason that the screensaver requires two password entries is
> that it needs to support traditional kerberos authentication schemes
> where it is fully possible to have a separate password for login and for
> kerberos authentication. Furthermore, we need to be able to support the
> case where a user performs the initial logon using a different
> authentication mechanism.
>
>
I'm not suggesting a change to the screensaver itself. Just a
suggesting that the program that brings up the renew windows could be
made smarter. (Making it detect if the ticket was renewed by another
means.) I did verify that the screensaver is in fact renewing the
ticket for my setup.
> In my case, I have the fingerprint scanner set up to act as a shortcut
> to waking my computer up from the screensaver. This biometric signature
> is obviously not going to function the same as the kerberos password, so
> when I unlock the screensaver and it is time for kerberos ticket
> renewal, I still need to enter my kerberos password.
>
And making the renew ticket window smart enough to detect if something
else renewed the ticket would not effect this case, since it wouldn't
detect a ticket renewal from your fingerprint scanner auth.
> - --
>
> - --------------------
> Stephen Gallagher
> RHCE 804006346421761
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkjgvDAACgkQc7MaxVic+2oasgCfSQyyeSWsO7wABC67GEQV8YdQ
> ItwAn1fgXhKVigDSKRNd0ieBRjBlfsQb
> =Ee0i
> -----END PGP SIGNATURE-----
>
>
More information about the Freeipa-users
mailing list