[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: systematic Kerberization



On Tue, 2004-05-11 at 15:40, Dennis Gilmore wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Once upon a time Tuesday 11 May 2004 11:24 pm, Havoc Pennington wrote:
> 
> >
> > This isn't the first strong customer request for disconnected operation.
> > I have no idea what's involved though (it seems like there would be some
> > tricky security issues?). I could ask Nalin, but public lists beat
> > hallway conversations. ;-)
> 
> I see disconected authentication as the caching of just enough data to allow 
> system authentication.  all other authentication should be resolved when user 
> becomes online again and can ask for new tickets.  for instance  at my old 
> work i had 2 pcs  and sometimes i would have one disconected from the network 
> so i could use my laptop on its network port.  and sometimes my password 
> would expire before i could reconnect  so i would use my old password  but 
> once i plugged back into the network i would have to reauthenticate so 
> everything would work

Although I know this is not long-term solution, to allow using my laptop
when disconnected from my LAN, I have set up a local (i.e. shadow)
password for my user account which is the same as the one in the
Kerberos real.

Next, I configured PAM to first try pam_krb5.so and, if unable to
contact the KDC, try local shadow passwords. It works great when my KDC
is not reachable, but I must manually keep the shadow and Kerberos
password synched up.

Until disconnected operation works transparently, this is what I'll keep
using :-)



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]