[31233] in Kerberos
Re: Logging on with cached ticket
daemon@ATHENA.MIT.EDU (Simo Sorce)
Fri Jun 5 09:32:31 2009
From: Simo Sorce <ssorce@redhat.com>
To: Nikolay Shopik <shopik@inblock.ru>
In-Reply-To: <4A291C01.1060003@inblock.ru>
Date: Fri, 05 Jun 2009 09:30:48 -0400
Message-Id: <1244208648.3623.112.camel@localhost.localdomain>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Fri, 2009-06-05 at 17:22 +0400, Nikolay Shopik wrote:
> On 05.06.2009 17:15, Simo Sorce wrote:
> > Windows caches the NT hash of your password.
> > That's how you get access w/o the KDC. Nothing to do with kerberos
> > credentials at all.
>
> That's what I though for moment. Can such thing (caching MD5/whatever
> hash locally for some period) accomplished on Linux?
>
> By default locking screen doesn't not produce request for new TGT, I
> mean if workstation is locked. But can be changed via group policy.
There a re a few projects that do password caching on Linux depending on
what is your environment. The classic one I think pam_ccache, but if
your KDC is a Windows AD server you can use winbindd which support
offline logins (and caches users information too so it works also when
LDAP is not available), then <shameless advertizing> there is also a
project called SSSD I am working on </shameless advertizing> that aims
at doing the same but for arbitrary authentication and identity sources,
although it is still very young, and needs some maturing.
I think we may be going a bit too OT for this list.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
