systematic Kerberization
Dennis Gilmore
dennis at ausil.us
Tue May 11 21:35:57 UTC 2004
Once upon a time Tuesday 11 May 2004 11:24 pm, Havoc Pennington wrote:
> On Tue, 2004-05-11 at 00:37, Jeremy Katz wrote:
>
> This isn't the first strong customer request for disconnected operation.
> I have no idea what's involved though (it seems like there would be some
> tricky security issues?). I could ask Nalin, but public lists beat
> hallway conversations. ;-)
I had a thought on some way of maybe acheiving this when you log in for first
time to the kerberos Authentication server a new entry is placed
in /etc/passwd but instead of a x for shadow password you use a k for
kerberos when you generate the key between the Authentication server and
user you encrypt the password with it and save in /etc/kerberos/<username>
so then in the future if the user is disconnected they can generate the key
and decrypt the password when not connecte to the network.
Just an idea
Dennis
More information about the fedora-devel-list
mailing list