> -----Original Message-----
> From: Simo Sorce [mailto:s...@redhat.com]
> Sent: Wednesday, June 18, 2014 1:35 PM
> > Clearly there are potential problems. The question is, are they bigger
> > problems than sending your password across the net?
>
> No, but why should you ?
> It is quite simple to just call gssapi_acquire_cred_with_password(), it would
> require only a simple change in the browser to show you a prompt like it is
> done with Basic Auth, and then you are future proof and use the system cred
> store.

Wholeheartedly agree. However, when I previously suggested having the browser 
interact with the system cred store, there was fierce resistance. I believe the 
objections expressed on this list at the time was the need to change the client 
side. JS eliminates that need, which is the reason I brought it up.

> >  (and if we assume they use the same password in more than one place:
> > reduce the system manager's exposure to having someone else's
> > compromised system plague my machines?)
>
> I think that if these are your concerns it would be more effective to use OTPs
> where possible.

I don't know enough about OTPs to understand how they apply to external users, 
federation, and allowing "institutional" users to connect from outside the 
firewall. Not even the name sounds very user friendly.

Bryce





This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to