[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: systematic Kerberization



On Wed, 12 May 2004, Dennis Gilmore wrote:

> Once upon a time Wednesday 12 May 2004 12:14 am, Chris Ricker wrote:
> > On Wed, 12 May 2004, Dennis Gilmore wrote:
> > > because organisations with thousands of users  want to setup
> > > authentication once only in a central place  and have that information
> > > used for many different services and servers  as well as different
> > > machines.
> >
> > Organizations also want security. Random authentication caching mechanisms
> > are kinda counter to that....
> >
> > later,
> > chris
> 
> 
> perhaps you shold read up on how kerberos authenticates users

I'm well aware of how it works. I'm also aware that it doesn't solve the
problem of wanting to work disconnected. Kerberos ticket caching still
requires initial connectivity. It also does nothing for LDAP, NIS, etc.
You'd need a totally new ad-hoc caching mechanism above and beyond the krb
ticket cache, and I don't think it would turn out to be something any sane
organization would want.... Local accounts, OTOH, are an access control
mechanism that is at least well-understood, which is why our standard is to
fall back to them if distributed is unavailable.

later,
chris



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]