systematic Kerberization
Chris Ricker
kaboom at gatech.edu
Tue May 11 14:26:21 UTC 2004
On Wed, 12 May 2004, Dennis Gilmore wrote:
> Once upon a time Wednesday 12 May 2004 12:14 am, Chris Ricker wrote:
> > On Wed, 12 May 2004, Dennis Gilmore wrote:
> > > because organisations with thousands of users want to setup
> > > authentication once only in a central place and have that information
> > > used for many different services and servers as well as different
> > > machines.
> >
> > Organizations also want security. Random authentication caching mechanisms
> > are kinda counter to that....
> >
> > later,
> > chris
>
>
> perhaps you shold read up on how kerberos authenticates users
I'm well aware of how it works. I'm also aware that it doesn't solve the
problem of wanting to work disconnected. Kerberos ticket caching still
requires initial connectivity. It also does nothing for LDAP, NIS, etc.
You'd need a totally new ad-hoc caching mechanism above and beyond the krb
ticket cache, and I don't think it would turn out to be something any sane
organization would want.... Local accounts, OTOH, are an access control
mechanism that is at least well-understood, which is why our standard is to
fall back to them if distributed is unavailable.
later,
chris
More information about the fedora-devel-list
mailing list