[31359] in Kerberos
Re: kerberos+laptop
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Aug 11 17:04:04 2009
To: Edward Murrell <edward@murrell.co.nz>
In-Reply-To: <1250023865.25839.15.camel@entropy> (Edward Murrell's message of
"Wed\, 12 Aug 2009 08\:51\:05 +1200")
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 11 Aug 2009 14:03:25 -0700
Message-ID: <878whq5ahu.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Edward Murrell <edward@murrell.co.nz> writes:
> I've been wondering about this problem for a while. My current solution
> on my laptop is to use a normal /etc/passwd login, and run kinit once
> I'm logged in.
>
> What I would like is to allow some method of transparently caching
> passwords, then creating a TGT once network connectivity if established.
This wouldn't be as neat, and I don't want to discourage you from pursuing
the neat solution, but have you considered just stacking pam_unix and
pam_krb5, setting your local password to match your Kerberos password, and
then attempting pam_krb5 first and falling back on pam_unix if pam_krb5
fails?
It does have the drawback of opening your Kerberos password up to an
off-line brute force attack by someone who steals your laptop and hence
has access to the local /etc/shadow file, but that doesn't seem like too
huge of a security drawback to me.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
