Disconnect Login (Was: FC3 Bug Week - HELP WANTED)

John Dennis jdennis at redhat.com
Fri Sep 24 22:12:45 UTC 2004


On Fri, 2004-09-24 at 17:07, Stephen J. Smoogen wrote:
> What I have been trying to do is get our laptops set up so that they
> can get kerberos tickets if they are on the domain, and not to get
> them if they are not. The problem is currently most seen in

> When the laptop is plugged into the network and a local password is
> used the access occurs. When I unplug the box but move the settings to
> even optional.. it just sits for 2 minutes and login times out.

We added a new pam module in FC3 called pam_ccreds from PADL software.
"CCreds" stands for "Cached Credentials". This may do what you want.

The pam ccreds (Cached Credentials) is an optional pam module that would
only be turned on by explicit root configuration. It works by caching in
an encrypted form the credentials from a successful login. The encrypted
cache is readable only by root making it equivalent to the shadow
mechanism. The idea is that if an organization is using server based
authentication (e.g. NIS or LDAP) and the user disconnects from his
network he should still be able to login to his notebook. The cache is
only consulted if a server based pam module reports its server is
unavailable. If a server while connected ever reports a positive NAK on
authentication the users cached credentials are immediately flushed,
this means a user does not have unlimited future ability to authenticate
if his privileges are revoked on his network. He can only authenticate
while disconnected and only if the previous connected authentication was
successful. This provides a good trade off between security and
practical real world access for mobile users.

There are few additional issues you will need to take into account:

1) authconfig needs to be patched to support ccreds, I don't think that
patch made it into FC3.

2) User id information (e.g. nsswitch) still has to come from some
place. If its currently network served you'll have problems. Rumor has
it that FC3 picked up support for caching this, but at the immediate
moment I'd don't have the details at my fingertips.

3) Home dirs will have to be local (we are in the process of adding
support for home dir caching).

4) The network timeouts for the krb server won't occur if the network is
turned off as opposed to unavailable (e.g. service network stop). There
was a bug in the pam_krb5 which returned the wrong error code when the
krb server was unavailable, it used to return "authentication failure"
instead of the correct "server unavailable". That was fixed and I'm
pretty sure is in FC3.

-- 
John Dennis <jdennis at redhat.com>





More information about the fedora-devel-list mailing list