Russ Allbery <[email protected]> writes: > kstart should do what you want, I believe, in a Kerberos v5 sort of way, > although I forget if reauth was one of the programs that cached the > password in memory. If so, I have intentionally not implemented that > functionality in kstart (at least yet) since it makes me unhappy from a > security perspective, but I probably will eventually. Currently, kstart > requires that you create a keytab if you want to do persistant > reauthentication. (One of the reasons why I'll probably implement it > anyway is that storing the password in memory is probably still more > secure than creating a keytab file on disk.)
Oh, right, now I remember the other reason why I didn't implement that. It's effectively implementing renewable credentials without using the actual renewable credential support in the KDC. That doesn't make sense to do; if a site doesn't allow renewable credentials by policy, then surely that same policy doesn't want people to renew credentials by stashing their password somewhere and bypassing the policy that way. (Yes, people can do this with a keytab, but that requires some Kerberos sophistication.) -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
