[Freeipa-devel] Session design document
Stephen Gallagher
sgallagh at redhat.com
Mon Dec 5 14:33:52 UTC 2011
On Sat, 2011-12-03 at 14:06 -0500, Dmitri Pal wrote:
> On 12/01/2011 08:48 PM, Simo Sorce wrote:
> > On Thu, 2011-12-01 at 19:31 -0500, John Dennis wrote:
> >> On 12/01/2011 06:54 PM, Dmitri Pal wrote:
> >>> Seems reasonable. I agree with pros and cons and suggestions but I am
> >>> not the person to make the final approval. Simo?
> >>>
> >>> Question for John: Is there any benefit for CLI or it is for UI only?
> >> Currently it would benefit the UI only. That's mostly because there is
> >> no mechanism in the cli to cache the session ID. Adding that wouldn't be
> >> too difficult except for the issue of how to store the session ID
> >> securely, it would have to be written to a file (unlike with a browser
> >> which is supposed to hold session cookies in memory). Is there an
> >> ability to add a data item like this to the user's kerberos credential
> >> cache?
> > Yes we could create a fake key and stick the session id in it.
> > That was the trick we proposed using when this question was raised a few
> > months ago during a conference call on the matter.
> >
> > Simo.
> >
> Can we please then extend the design to include this?
>
Another approach (on Linux only) would be to have the CLI stuff the
session key into the kernel keyring. It would be secure and would be
capable of outliving the TGT life (if the session expiration is longer
than the TGT expiration).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111205/12995afe/attachment.sig>
More information about the Freeipa-devel
mailing list