systematic Kerberization

Chris Ricker kaboom at gatech.edu
Wed May 12 02:06:09 UTC 2004


On Tue, 11 May 2004, Havoc Pennington wrote:

> So the message I've gotten from others is "Windows solves this problem
> and Linux does not" and they were aware of the ability to set up a local
> passwd file when complaining.
> 
> I think the question we have to answer is why is there a perceived
> deficiency vs. Windows, and can we address that without fundamental
> security problems. Appears the perceived deficiency would include 1) we
> aren't working out of the box, only if you fool around with it and
> possibly requiring the end user to run authconfig 2) the local/remote
> passwords can get out of sync.

Make that "require the end user NOT to run authconfig". Once you fix the pam
configs and actually get local authentication as fall-back running, you can
never run authconfig again without it undoing all your hard work (though
that's historically true of pam customization in general, but may be
changing since I vaguely recall recent changelogs mentioning changes to 
allow preservation of custom password quality settings).

At any rate, I don't think it's a case of a "perceived deficiency vs. 
Windows." It's a perceived deficiency, period, and it's not how other Unixen 
(Solaris, for example) or even other Linux distros behave....

later,
chris





More information about the fedora-devel-list mailing list