On Sat, 2011-12-03 at 14:06 -0500, Dmitri Pal wrote: > On 12/01/2011 08:48 PM, Simo Sorce wrote: > > On Thu, 2011-12-01 at 19:31 -0500, John Dennis wrote: > >> On 12/01/2011 06:54 PM, Dmitri Pal wrote: > >>> Seems reasonable. I agree with pros and cons and suggestions but I am > >>> not the person to make the final approval. Simo? > >>> > >>> Question for John: Is there any benefit for CLI or it is for UI only? > >> Currently it would benefit the UI only. That's mostly because there is > >> no mechanism in the cli to cache the session ID. Adding that wouldn't be > >> too difficult except for the issue of how to store the session ID > >> securely, it would have to be written to a file (unlike with a browser > >> which is supposed to hold session cookies in memory). Is there an > >> ability to add a data item like this to the user's kerberos credential > >> cache? > > Yes we could create a fake key and stick the session id in it. > > That was the trick we proposed using when this question was raised a few > > months ago during a conference call on the matter. > > > > Simo. > > > Can we please then extend the design to include this? >
Another approach (on Linux only) would be to have the CLI stuff the session key into the kernel keyring. It would be secure and would be capable of outliving the TGT life (if the session expiration is longer than the TGT expiration).
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
