systematic Kerberization

Panu Matilainen pmatilai at welho.com
Tue May 11 17:19:22 UTC 2004


On Tue, 2004-05-11 at 19:48, Ronny Buchmann wrote:
> On Tuesday 11 May 2004 18:10, you wrote:
> > On Tue, 2004-05-11 at 10:26, Chris Ricker wrote:
> > > I'm well aware of how it works. I'm also aware that it doesn't solve the
> > > problem of wanting to work disconnected. Kerberos ticket caching still
> > > requires initial connectivity. It also does nothing for LDAP, NIS, etc.
> > > You'd need a totally new ad-hoc caching mechanism above and beyond the
> > > krb ticket cache, and I don't think it would turn out to be something any
> > > sane organization would want.... Local accounts, OTOH, are an access
> > > control mechanism that is at least well-understood, which is why our
> > > standard is to fall back to them if distributed is unavailable.
> >
> > What does Windows do for laptops?
> Windows does caching.
> 
>  1. login on network (domain login)
>  2. authentication information (user/password(hash?) is cached)
>  3. logout
>  4. timespan of length x
>  5. disconnect
>  5. login at domain (against cached auth info)
> 
> So in short, if you once were logged in, you can login at (any?) later time 
> without network (AFAIK this needs to be enabled somewhere, it's not default).

>From what I've seen I think Windows defaults to caching (but this is
just guessing from what I've seen, not claiming to know :) Anyway it's
not laptop specific: you have any workstation authenticating from a
domain, pull out the network cable and you're still able to log in if
you have previously logged in to that particular system. IIRC it also
cache's account and password expiration times so you can't just
endlessly keep logging into a system just by keeping it out of the
network.

I wrote a "pam_cache" module as an quick experiment a couple of years
ago which grabs the essential user+auth information from LDAP when you
login while connected to the network, rewrites the info to /etc/passwd &
friends and thus keeps the accounts more-or-less in sync. It sorta
worked but boy it was ugly :)

PADL has started some work towards this:
http://www.padl.com/OSS/pam_ccreds.html and
http://www.padl.com/OSS/nss_updatedb.html
However the way it currently works is that it dumps the whole contents
of user and group information from a directory to the local disk, which
isn't really acceptable with tens of thousands of users and groups...

	- Panu -



	- Panu -





More information about the fedora-devel-list mailing list