Re: Plain text passwords--necessary

[tep () SDSC EDU (Tom Perrine)]

> > > > > On Tue, 20 Apr 1999 13:23:33 +1000, Chris <chris () ORMOND UNIMELB EDU AU> said:

    Chris> Perhaps it would be possible to use an authentication agent with which to
    Chris> store user passwords for services so that the user is only prompted once per
    Chris> session (indeed, their login password could maybe suffice).  This password
    Chris> is used as the private key to a small db of passwords, which any program
    Chris> can register with.  The concept is akin to ssh-agent.  Would this be a
    Chris> possible thing - or is their problems with this approach as well?  How
    Chris> difficult would it be to implement?


Congratulations.  You have just re-discovered Single Sign On (SSO) :-)

Kerberos, DCE, and some PKI-based systems such as Grid Security
Infrastructure are all designed to provide "one account, one
authentication, all authorized services everywhere authorized" for
users.

All of these require some trusted agent to perform as a trusted proxy
for you; dispensing credential on demand as they are requested.

SSH-agent in an implementation of a SSO system, with the agent as the
proxy that holds your SSH passphrase.

In Kerberos/DCE, the KDC performs this service.

In GSI, you self-sign an X.509 cert that has limited lifetime (just
like a Kerberos TGT).

You pick your infrastructure, and you take your chances :-) You have
to trust *something* to hold your credentials safely, and only perform
the right actions at the right time, to the right hosts/services.

"Where do you want your keys to go today?" :-)


--tep