>>>>> On Tue, 20 Apr 1999 13:23:33 +1000, Chris <chrisat_private> said: Chris> Perhaps it would be possible to use an authentication agent with which to Chris> store user passwords for services so that the user is only prompted once per Chris> session (indeed, their login password could maybe suffice). This password Chris> is used as the private key to a small db of passwords, which any program Chris> can register with. The concept is akin to ssh-agent. Would this be a Chris> possible thing - or is their problems with this approach as well? How Chris> difficult would it be to implement? Congratulations. You have just re-discovered Single Sign On (SSO) :-) Kerberos, DCE, and some PKI-based systems such as Grid Security Infrastructure are all designed to provide "one account, one authentication, all authorized services everywhere authorized" for users. All of these require some trusted agent to perform as a trusted proxy for you; dispensing credential on demand as they are requested. SSH-agent in an implementation of a SSO system, with the agent as the proxy that holds your SSH passphrase. In Kerberos/DCE, the KDC performs this service. In GSI, you self-sign an X.509 cert that has limited lifetime (just like a Kerberos TGT). You pick your infrastructure, and you take your chances :-) You have to trust *something* to hold your credentials safely, and only perform the right actions at the right time, to the right hosts/services. "Where do you want your keys to go today?" :-) --tep
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:43:16 PDT