On Fri, Jan 20, 2006 at 07:06:00AM +1100, Luke Howard wrote: > >Windows does this I think. In fact I seem to recall that for at > >least some versions of Windows it doesn't even bother trying to renew > >the tickets and just always uses the stored key. > > Unfortunately I never leave my Windows workstation unlocked for long > enough to verify this. But, given the NT OWF is present in memory to > support NTLM clients, it makes sense to use this for Kerberos too if > rc4-hmac is supported. Maybe someone from Microsoft can confirm. > > (Still, I think in the end we don't want to implement this approach, > for the reasons pointed out in my initial e-mail, and Doug's.)
It can be an option. If you're willing to type in a long-term password on some keyboard, you might be willing to let the system cache the long-term credential -- you might also not want it to, on the theory that subsequent compromise of the system may compromise temporary credentials but not long-term credentials. Such a trade-off decision can be put in the hands of the administrator, with an appropriate default. Nico -- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
