systematic Kerberization

Chris Ricker kaboom at gatech.edu
Wed May 12 02:10:01 UTC 2004


On Tue, 11 May 2004, David T Hollis wrote:

> Caching user credentials is enabled by default (for 10 user accounts
> IIRC) up through XP.  Win2k3 may not do it since it is server oriented
> and the whole "security push" marketing show.  Any security guide worth
> its salt will tell you to turn that off, though in the Windows paradigm,
> that does mess up laptops (which are the ones you would want it off on
> since they are roaming all over the place!).  Another problem with it is
> that if I login with LaptopA, do my thing and shutdown and then login
> with LaptopB and change my password, I can still log into LaptopA while
> disconnected from the network with my old password.

There are lots of corner cases with it. If you have password aging policies,
it will sometimes allow your users to log in with an expired password, for 
example....

later,
chris





More information about the fedora-devel-list mailing list