Recent Features
| |||||||||||||
Target rich environmentTarget rich environmentPosted Sep 29, 2011 17:05 UTC (Thu) by alex (subscriber, #1355)Parent article: SSSD: System Security Services Daemon
One thing I worry about with credential holding programs (ssh-agent and gpg-agent aren't immune either) is they present a very tempting target for malware/hackers. Especially in the days of always on, suspend/resume laptops when do the credentials get flushed and the user is forced to enter the details again?
(Log in to post comments)
Target rich environment Posted Sep 29, 2011 20:29 UTC (Thu) by nix (subscriber, #2304) [Link]
Both ssh-add and gpg-agent can specify maximum key lifetimes (in ssh-add's case, on a key-by-key basis: I'm not sure if you can do the same with gpg-agent).
Target rich environment Posted Sep 30, 2011 8:07 UTC (Fri) by myllynen (subscriber, #55412) [Link]
This is a nice idea, I've filed an upstream RFE at
Target rich environment Posted Sep 30, 2011 13:14 UTC (Fri) by idra (guest, #36289) [Link]
Not that retaining the password is optional and not enabled by default.
By default SSSD will never store your password in the clear, it will only store a salted hash for offline login purposes.
When you explicitly configure SSSD to store the clear text password for deferred ticket acquisition it is stored in the kernel keyring which is generally considered a secure storage (ie if someone gets there you already have bigger issues).
|
|||||||||||||