systematic Kerberization
Stephen Smoogen
smoogen at lanl.gov
Tue May 11 14:10:30 UTC 2004
On Tue, 2004-05-11 at 08:05, Dennis Gilmore wrote:
> Once upon a time Wednesday 12 May 2004 12:00 am, Chris Ricker wrote:
> > On Tue, 11 May 2004, Dennis Gilmore wrote:
> >
> > Why invent a new caching? We already have an off-line authentication system
> > -- standard Unix authentication. Rather than caching authentication, I'd
> > just like fall back to local accounts when disconnected. When I'm in the
> > airport, I should still be able to log into my laptop authenticating
> > against /etc/shadow even though I'm either not on a network, or on a
> > network but not able to access my ldap server, my kdc, etc.
> >
> > later,
> > chris
>
> because organisations with thousands of users want to setup authentication
> once only in a central place and have that information used for many
> different services and servers as well as different machines.
The standard way I have seen it implemented on other versions of Linux
(here and other large organizations) is that the central authentication
is used first in the pam stack and if it fails/isnt available you get
authorized against the local password db which if it works lets you in.
In this scenario the person only gets network credentials if the
kerberos server is there and cant get off the box otherwise. Anything
else is considered too security prone because the attacker already has
physical access to the asset.
--
Stephen John Smoogen smoogen at lanl.gov
Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545
-- You should consider any operational computer to be a security problem --
More information about the fedora-devel-list
mailing list