Krb5-auth-dialog is a tray applet for the GNOME Desktop that monitors Kerberos tickets.

Features

  • It can alert the user via notifications when the ticket is about to expire.
  • Current tickets in the credential cache can be listed.
    • It can be extended using plugins. This can be used to extend krb5-auth-dialog to e.g. handle things like kx509.
  • These plugins are currently available:
    • afs: a plugin to acquire AFS tickets
    • dummy: a sample plugin printing to the console
    • pam: a plugin invoking the pam stack
  • A DBus API for applications to acquire a Kerberos ticket and to remove the credentials cache is provided.
  • DBus signals notify applications about acquired, renewed and expired tickets.
  • It supports PKinit (e.g. via SmartCard) when built against Heimdal.

Source Code

The source code is available and browseable via GNOMEs Gitlab:

git clone https://gitlab.gnome.org/GNOME/krb5-auth-dialog.git

Releases

Releases are availale from download.gnome.org. The current stable release is 44.

Debian Packages

Debian packges are available from debian.org.

Screenshots

The tray icon can be seen here and here. Below are pictures of the password and preferences dialogs:

password dialog preferences dialog

The notifications under GNOME 3 look like this:

valid ticket notification expired ticket notification

Plugins

There are currently three plugins available:

  • afs - call aklog or afslog to aquire AFS tickets
  • pam - invoke PAM modules
  • dummy - example plugin

These plugins can be activated using a key in GSettings

DBus API

  • There's a DBus API to acquire Kerberos ticktes. See the examples. virt-manager is using this and here's a patch for offlineimap.
  • DBus signals notify about acquired, renewed or expired tickets. This can be used to e.g. run aklog via this example.

Todo

  • Add gnome keyring support (567701)
  • Remove all wakeups, rely on our gio watch of the ticket cache
  • Add cache version, etc. to ticket dialog
  • Add fast principal switching
  • Make more applications use the DBUS API to make Kerberos a smooth experience on the desktop:
    • libsoup - used by nautilus and evolution for calendars
    • Thunderbird
    • Evolution IMAP and SMTP
    • ssh client

GNOME Goals

Status of current Gnome goals in krb5-auth-dialog:

Authors

krb5-auth-dialog was originally written by Christopher Aillon and is now maintained by Guido Günther <agx@sigxcpu.org>.

Bugs

Please file bug reports via GNOME's gitlab.

License

krb5-auth-dialog is free software and licensed under the GPL Version 2.