On Tue, 2016-12-13 at 18:52 +0000, Tom Hughes wrote:
On 13/12/16 18:19, Simo Sorce wrote:
> On Tue, 2016-12-13 at 14:36 +0000, Dave Love wrote:
>> Simo Sorce <simo(a)redhat.com> writes:
>>
>>> If you really need to automate it because typing a password is too hard:
>>> cat ~/.mykrbpassword | kinit myusername
>>
>> It needs to be automated principally because the password is not
>> memorable. I assume infrastructure people would rather we don't use the
>> least secure credentials we can.
>
> It is the same password you had to use every day to access services like
> bodhi, pkgdb, fas, etc...
Yes, the 16 character random one that is known to my browser's password
manager but not to me unless I look it up. So yes I do "use" it all the
time but only in as much as I hit the login button on my browser's
toolbar and it sends it to the web site.
> Now all those services are kerberized too (via OIDC IDP middleman) so
> you can just kinit once and then access all those services w/o sending
> password around, all in all I think it is a better situation.
Well yes that is probably another option, but it would still have to be
a weakened password to stand any chance of being memorable.
If you are ok storing it in the browser then you can store it elsewhere
and pipe it in kinit, I do not see a problem here.
The main goal of long random passwords after all is about a
combination
of making them hard to brute force and ensuring that every service has a
unique password to guard against credential reuse attacks when one of
the many services everybody has logins for experiences the inevitable
loss of their poorly secured database.
I always find it somewhat depressing that the more sophisticated a login
system becomes the worse my security on it seems to get because I wind
up having to use weaker passwords. Banks are the classic example because
they rarely have a straightforward password even as one part of their
authentication but anything that means I have to remember a password
hits the same problem.
Don't remember it if it bothers you, why do you use a double standard if
the password is not sent via browser but through a CLI ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York