[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: systematic Kerberization



On Tue, 2004-05-11 at 08:05, Dennis Gilmore wrote:
> Once upon a time Wednesday 12 May 2004 12:00 am, Chris Ricker wrote:
> > On Tue, 11 May 2004, Dennis Gilmore wrote:
> >
> > Why invent a new caching? We already have an off-line authentication system
> > -- standard Unix authentication. Rather than caching authentication, I'd
> > just like fall back to local accounts when disconnected. When I'm in the
> > airport, I should still be able to log into my laptop authenticating
> > against /etc/shadow even though I'm either not on a network, or on a
> > network but not able to access my ldap server, my kdc, etc.
> >
> > later,
> > chris
> 
> because organisations with thousands of users  want to setup authentication 
> once only in a central place  and have that information used for many 
> different services and servers  as well as different machines.  

The standard way I have seen it implemented on other versions of Linux
(here and other large organizations) is that the central authentication
is used first in the pam stack and if it fails/isnt available you get
authorized against the local password db which if it works lets you in.

In this scenario the person only gets network credentials if the
kerberos server is there and cant get off the box otherwise.  Anything
else is considered too security prone because the attacker already has
physical access to the asset.

-- 
Stephen John Smoogen		smoogen lanl gov
Los Alamos National Lab  CCN-5 Sched 5/40  PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545
-- You should consider any operational computer to be a security problem --



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]