[OpenAFS] "reauth" code?
Russ Allbery
rra@stanford.edu
Thu, 23 Aug 2012 19:47:40 -0700
Russ Allbery <rra@stanford.edu> writes:
> kstart should do what you want, I believe, in a Kerberos v5 sort of way,
> although I forget if reauth was one of the programs that cached the
> password in memory. If so, I have intentionally not implemented that
> functionality in kstart (at least yet) since it makes me unhappy from a
> security perspective, but I probably will eventually. Currently, kstart
> requires that you create a keytab if you want to do persistant
> reauthentication. (One of the reasons why I'll probably implement it
> anyway is that storing the password in memory is probably still more
> secure than creating a keytab file on disk.)
Oh, right, now I remember the other reason why I didn't implement that.
It's effectively implementing renewable credentials without using the
actual renewable credential support in the KDC. That doesn't make sense
to do; if a site doesn't allow renewable credentials by policy, then
surely that same policy doesn't want people to renew credentials by
stashing their password somewhere and bypassing the policy that way.
(Yes, people can do this with a keytab, but that requires some Kerberos
sophistication.)
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>