Re: systematic Kerberization

[Chris Ricker <kaboom gatech edu>]

On Tue, 11 May 2004, Dennis Gilmore wrote:

> I see disconected authentication as the caching of just enough data to allow 
> system authentication.  all other authentication should be resolved when user 
> becomes online again and can ask for new tickets.  for instance  at my old 
> work i had 2 pcs  and sometimes i would have one disconected from the network 
> so i could use my laptop on its network port.  and sometimes my password 
> would expire before i could reconnect  so i would use my old password  but 
> once i plugged back into the network i would have to reauthenticate so 
> everything would work
> 
> but i guess to do it what you would need to do is create the key based on the 
> password and compare it to an old key which needs to be stored somewhere 
> secure

Why invent a new caching? We already have an off-line authentication system
-- standard Unix authentication. Rather than caching authentication, I'd
just like fall back to local accounts when disconnected. When I'm in the
airport, I should still be able to log into my laptop authenticating against
/etc/shadow even though I'm either not on a network, or on a network but not
able to access my ldap server, my kdc, etc.

later,
chris