Bug#823568: krb5-auth-dialog: Don't autostart for non-Kerberos users
On Fri, May 13, 2016 at 04:39:43PM -0400, Daniel Richard G. wrote: > On Fri, 2016 May 13 12:22+0200, Guido Günther wrote: > > > > > > I can just click on the little systray icon. How is the notification > > > necessary for me to get a ticket? (I am using the program under > > > Xfce, if that makes a difference.) > > > > Only if there is such an icon. E.g. GNOME relies solely on > > notifiations (which, at least there, is a good thing). > > Oh. Okay. That's a different way of doing things... > > > Yeah, I agree that the startup case should better indicate that the > > user does not have any creds, not that they're expired. > > That would be great. > > On a similar note, regarding the man page description for the --auto > option: > > If this option is specified, krb5-auth-dialog will exit if it finds > that the user has no Kerberos credentials. > > This could be misread as stating that the program will exit at a later > time when the user's credentials expire. I would at least add the words > "at startup" or "when it starts." Alternately, I'd suggest this > elaborated wording: > > If this option is specified, krb5-auth-dialog will start only if it > finds that the user has Kerberos credentials. This may be used to > ensure that only users who actually use Kerberos see the program. > (Note that in some settings, users may authenticate to Kerberos at a > later time even if they do not have Kerberos credentials initially.) I've added this manpage update to the uptream manpage. Will pop up in the next release. Still need to get around to improve the initial notification. Cheers, -- Guido > > > The Systray icon is a bandaid. On a proper integrated desktop it > > should not be needed to get a ticket. > > Xfce may not be that, but in that environment, the systray icon works > perfectly :]
Bug#823568: krb5-auth-dialog: Don't autostart for non-Kerberos users
On Fri, 2016 May 13 12:22+0200, Guido Günther wrote: > > > > I can just click on the little systray icon. How is the notification > > necessary for me to get a ticket? (I am using the program under > > Xfce, if that makes a difference.) > > Only if there is such an icon. E.g. GNOME relies solely on > notifiations (which, at least there, is a good thing). Oh. Okay. That's a different way of doing things... > Yeah, I agree that the startup case should better indicate that the > user does not have any creds, not that they're expired. That would be great. On a similar note, regarding the man page description for the --auto option: If this option is specified, krb5-auth-dialog will exit if it finds that the user has no Kerberos credentials. This could be misread as stating that the program will exit at a later time when the user's credentials expire. I would at least add the words "at startup" or "when it starts." Alternately, I'd suggest this elaborated wording: If this option is specified, krb5-auth-dialog will start only if it finds that the user has Kerberos credentials. This may be used to ensure that only users who actually use Kerberos see the program. (Note that in some settings, users may authenticate to Kerberos at a later time even if they do not have Kerberos credentials initially.) > The Systray icon is a bandaid. On a proper integrated desktop it > should not be needed to get a ticket. Xfce may not be that, but in that environment, the systray icon works perfectly :]
Bug#823568: krb5-auth-dialog: Don't autostart for non-Kerberos users
(sorry for the delay) On Sun, May 08, 2016 at 01:56:49PM -0400, Daniel Richard G. wrote: > On Sun, 2016 May 8 11:28+0200, Guido Günther wrote: > > > > > > I would not mind having the program run for all users, but for the > > > "credentials expired" notification. Is there a reason to give that > > > message on startup when no credentials (not even expired ones) are > > > present? > > > > Yes, this gives you the persistent notification in GNOMEs notification > > area that allows you to grab a ticket via mouse click (in contrast to > > getting it via the API). > > I can just click on the little systray icon. How is the notification > necessary for me to get a ticket? (I am using the program under Xfce, if > that makes a difference.) Only if there is such an icon. E.g. GNOME relies solely on notifiations (which, at least there, is a good thing). > > Bear in mind, strictly speaking, it is incorrect for the program to > report "credentials expired" when a non-Kerberos user logs in---because > no credentials (even expired/invalid ones) are present at all. It's like > telling someone who has never had a passport in their life that their > passport is expired. That's going to be quite confusing for them. Yeah, I agree that the startup case should better indicate that the user does not have any creds, not that they're expired. > > The current behaviour is reasonable under the objective that you want > > to give the user an easy way to fetch a ticket at any time and not all > > applications being able to request a ticket via the DBus API. > > I don't understand why you're bringing up the DBus API. Yes, some > applications can request krb5-auth-dialog get the user's password and > then Kerberos tickets. But there is a systray icon that is independent > of DBus, and the user can click on it whenever they like, and that is > about as easy as it gets. The Systray icon is a bandaid. On a proper integrated desktop it should not be needed to get a ticket. Cheers, -- Guido
Bug#823568: krb5-auth-dialog: Don't autostart for non-Kerberos users
On Sun, 2016 May 8 11:28+0200, Guido Günther wrote: > > > > I would not mind having the program run for all users, but for the > > "credentials expired" notification. Is there a reason to give that > > message on startup when no credentials (not even expired ones) are > > present? > > Yes, this gives you the persistent notification in GNOMEs notification > area that allows you to grab a ticket via mouse click (in contrast to > getting it via the API). I can just click on the little systray icon. How is the notification necessary for me to get a ticket? (I am using the program under Xfce, if that makes a difference.) Bear in mind, strictly speaking, it is incorrect for the program to report "credentials expired" when a non-Kerberos user logs in---because no credentials (even expired/invalid ones) are present at all. It's like telling someone who has never had a passport in their life that their passport is expired. That's going to be quite confusing for them. > The current behaviour is reasonable under the objective that you want > to give the user an easy way to fetch a ticket at any time and not all > applications being able to request a ticket via the DBus API. I don't understand why you're bringing up the DBus API. Yes, some applications can request krb5-auth-dialog get the user's password and then Kerberos tickets. But there is a systray icon that is independent of DBus, and the user can click on it whenever they like, and that is about as easy as it gets.
Bug#823568: krb5-auth-dialog: Don't autostart for non-Kerberos users
On Fri, May 06, 2016 at 04:24:02AM -0400, Daniel Richard G. wrote: > On Fri, 2016 May 6 10:13+0200, Guido Günther wrote: > > > > Using "krb5-auth-dialog -a" should do waht you want. However we > > want kb5-auth-dialog running all the time for use cases where the > > user wants to pick up a Kerberos ticket later (e.g. after starting > > a VPN tunnel) so we want the notification in the system tray to > > pick up a ticket. > > > > Since this is a config file you can safely modify it without it being > > ovewritten by upgrades. > > > > Does this sound o.k.? > > I would not mind having the program run for all users, but for the > "credentials expired" notification. Is there a reason to give > that message on startup when no credentials (not even expired > ones) are present? Yes, this gives you the persistent notification in GNOMEs notification area that allows you to grab a ticket via mouse click (in contrast to getting it via the API). > While I can modify the .desktop file, the best solution would be one > that gives reasonable behavior for both Kerberos and non-Kerberos users, > such that no tweaks are needed. The current behaviour is reasonable under the objective that you want to give the user an easy way to fetch a ticket at any time and not all applications being able to request a ticket via the DBus API. Cheers, -- Guido
Bug#823568: krb5-auth-dialog: Don't autostart for non-Kerberos users
On Fri, 2016 May 6 10:13+0200, Guido Günther wrote: > > Using "krb5-auth-dialog -a" should do waht you want. However we > want kb5-auth-dialog running all the time for use cases where the > user wants to pick up a Kerberos ticket later (e.g. after starting > a VPN tunnel) so we want the notification in the system tray to > pick up a ticket. > > Since this is a config file you can safely modify it without it being > ovewritten by upgrades. > > Does this sound o.k.? I would not mind having the program run for all users, but for the "credentials expired" notification. Is there a reason to give that message on startup when no credentials (not even expired ones) are present? While I can modify the .desktop file, the best solution would be one that gives reasonable behavior for both Kerberos and non-Kerberos users, such that no tweaks are needed.
Bug#823568: krb5-auth-dialog: Don't autostart for non-Kerberos users
Hi, On Thu, May 05, 2016 at 10:04:49PM -0400, Daniel Richard G. wrote: > Package: krb5-auth-dialog > Version: 3.12.0-2 > Severity: wishlist > > When krb5-auth-dialog is installed, it drops a .desktop file into > /etc/xdg/autostart/ so that it starts up as part of the normal desktop > session, without requiring further intervention. I am assembling a > system that will mainly handle users authenticated via Kerberos, so > this is great. > > However, there will also be some local-only users (via normal Unix > auth), and for them, the "Network credentials expired" notification > will be confusing and unhelpful. I'd like for the program not to > autostart for them. > > (If a local-only user somehow wants to authenticate to some Kerberos > principal graphically, they can always start up the program via the > application menu, of course.) > > This minor change to the .desktop file gets me the desired effect... > > --- /etc/xdg/autostart/krb5-auth-dialog.desktop.orig > +++ /etc/xdg/autostart/krb5-auth-dialog.desktop > @@ -1,7 +1,7 @@ >[Desktop Entry] >Name=Kerberos Authentication >Comment=Kerberos Network Authentication Dialog > -Exec=krb5-auth-dialog > +Exec=sh -c 'test -z "$KRB5CCNAME" || exec krb5-auth-dialog' >Terminal=false >Type=Application >Icon=krb-valid-ticket Using "krb5-auth-dialog -a" should do waht you want. However we want kb5-auth-dialog running all the time for use cases where the user wants to pick up a Kerberos ticket later (e.g. after starting a VPN tunnel) so we want the notification in the system tray to pick up a ticket. Since this is a config file you can safely modify it without it being ovewritten by upgrades. Does this sound o.k.? -- Guido
Bug#823568: krb5-auth-dialog: Don't autostart for non-Kerberos users
Package: krb5-auth-dialog Version: 3.12.0-2 Severity: wishlist When krb5-auth-dialog is installed, it drops a .desktop file into /etc/xdg/autostart/ so that it starts up as part of the normal desktop session, without requiring further intervention. I am assembling a system that will mainly handle users authenticated via Kerberos, so this is great. However, there will also be some local-only users (via normal Unix auth), and for them, the "Network credentials expired" notification will be confusing and unhelpful. I'd like for the program not to autostart for them. (If a local-only user somehow wants to authenticate to some Kerberos principal graphically, they can always start up the program via the application menu, of course.) This minor change to the .desktop file gets me the desired effect... --- /etc/xdg/autostart/krb5-auth-dialog.desktop.orig +++ /etc/xdg/autostart/krb5-auth-dialog.desktop @@ -1,7 +1,7 @@ [Desktop Entry] Name=Kerberos Authentication Comment=Kerberos Network Authentication Dialog -Exec=krb5-auth-dialog +Exec=sh -c 'test -z "$KRB5CCNAME" || exec krb5-auth-dialog' Terminal=false Type=Application Icon=krb-valid-ticket ...but there may be a better way of doing it. I'd like to request this behavior.