aboutsummaryrefslogtreecommitdiff
path: root/README
blob: 8a2d036a4c0f4898f11909a92ed45e8f0fcd2fed (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
krb5-auth-dialog is a simple dialog that monitors kerberos tickets, and
pops up a dialog when they are about to expire.  Eventually, we expect
it to be part of GNOME.

Configuration
=============
Configuration settings are handled via gsettings.

You can set the principal that is used to acquire tickets via:
gsettings set org.gnome.KrbAuthDialog principal "principal@YOUR.REALM"

You can set the time of the first password prompt via:
gsettings set org.gnome.KrbAuthDialog prompt-minutes 30

You can set the principals pkinit identifier via:
gsettings set org.gnome.KrbAuthDialog pk-userid "FILE:/path/to/user.pem,/path/to/user.key"

or if you're using a smartcard:
gsettings set org.gnome.KrbAuthDialog pk-userid "PKCS11:/usr/lib/opensc/opensc-pkcs11.so"

DBus API
========
You can request a ticket granting ticket via DBus:

 dbus-send --print-reply --type=method_call \
              --dest=org.gnome.KrbAuthDialog \
               /org/gnome/KrbAuthDialog \
               org.gnome.KrbAuthDialog.acquireTgt \
               string:'principal'

If the sent principal doesn't match the one currently in the ticket cache the
request fails. To request a TGT for the "default" principal use string:''.

See examples/tgt-signals.py for information about sent DBus signals.


Plugins
=======
Plugins are currently disabled by default. Individual plugins can be enabled via gsettings:

Enable pam and dummy plugions:
.

You can set the principal that is used to acquire tickets via:
gsettings set org.gnome.KrbAuthDialog principal "principal@YOUR.REALM"

You can set the time of the first password prompt via:
gsettings set org.gnome.KrbAuthDialog prompt-minutes 30

You can set the principals pkinit identifier via:
gsettings set org.gnome.KrbAuthDialog pk-userid "FILE:/path/to/user.pem,/path/to/user.key"

or if you're using a smartcard:
gsettings set org.gnome.KrbAuthDialog pk-userid "PKCS11:/usr/lib/opensc/opensc-pkcs11.so"

DBus API
========
You can request a ticket granting ticket via DBus:

 dbus-send --print-reply --type=method_call \
              --dest=org.gnome.KrbAuthDialog \
               /org/gnome/KrbAuthDialog \
               org.gnome.KrbAuthDialog.acquireTgt \
               string:'principal'

If the sent principal doesn't match the one currently in the ticket cache the
request fails. To request a TGT for the "default" principal use string:''.

See examples/tgt-signals.py for information about sent DBus signals.


Plugins
=======
Plugins are currently disabled by default. Individual plugins can be enabled via gsettings:

Enable pam and dummy plugions:
gsettings set org.gnome.KrbAuthDialog.plugins enabled "['pam', 'dummy']"

To list currently enabled plugins:
gsettings get org.gnome.KrbAuthDialog.plugins enabled


A Note on Translations
======================
Kerberos doesn't translate either its prompts or its error messages.
As the prompt is very visible, we need to translate it externally.  To
do this, the etpo binary in etpo/ can be used to extract the public
strings that kerberos uses.  We are checking that in for now, until
kerberos gets translated.

If your language doesn't have a translation yet and you want to provide one do a

	cd po; make krb5-auth-dialog.pot

in the unpacked source tree to get a template of translatable strings.

bgstack15