systematic Kerberization
Felipe Alfaro Solana
felipe_alfaro at linuxmail.org
Tue May 11 19:13:55 UTC 2004
On Tue, 2004-05-11 at 15:40, Dennis Gilmore wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Once upon a time Tuesday 11 May 2004 11:24 pm, Havoc Pennington wrote:
>
> >
> > This isn't the first strong customer request for disconnected operation.
> > I have no idea what's involved though (it seems like there would be some
> > tricky security issues?). I could ask Nalin, but public lists beat
> > hallway conversations. ;-)
>
> I see disconected authentication as the caching of just enough data to allow
> system authentication. all other authentication should be resolved when user
> becomes online again and can ask for new tickets. for instance at my old
> work i had 2 pcs and sometimes i would have one disconected from the network
> so i could use my laptop on its network port. and sometimes my password
> would expire before i could reconnect so i would use my old password but
> once i plugged back into the network i would have to reauthenticate so
> everything would work
Although I know this is not long-term solution, to allow using my laptop
when disconnected from my LAN, I have set up a local (i.e. shadow)
password for my user account which is the same as the one in the
Kerberos real.
Next, I configured PAM to first try pam_krb5.so and, if unable to
contact the KDC, try local shadow passwords. It works great when my KDC
is not reachable, but I must manually keep the shadow and Kerberos
password synched up.
Until disconnected operation works transparently, this is what I'll keep
using :-)
More information about the fedora-devel-list
mailing list