[31360] in Kerberos
Re: kerberos+laptop
daemon@ATHENA.MIT.EDU (Edward Murrell)
Tue Aug 11 17:16:45 2009
From: Edward Murrell <edward@murrell.co.nz>
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <878whq5ahu.fsf@windlord.stanford.edu>
Date: Wed, 12 Aug 2009 09:16:58 +1200
Message-Id: <1250025418.25839.19.camel@entropy>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, 2009-08-11 at 14:03 -0700, Russ Allbery wrote:
> Edward Murrell <edward@murrell.co.nz> writes:
>
> > I've been wondering about this problem for a while. My current solution
> > on my laptop is to use a normal /etc/passwd login, and run kinit once
> > I'm logged in.
> >
> > What I would like is to allow some method of transparently caching
> > passwords, then creating a TGT once network connectivity if established.
>
> This wouldn't be as neat, and I don't want to discourage you from pursuing
> the neat solution, but have you considered just stacking pam_unix and
> pam_krb5, setting your local password to match your Kerberos password, and
> then attempting pam_krb5 first and falling back on pam_unix if pam_krb5
> fails?
>
> It does have the drawback of opening your Kerberos password up to an
> off-line brute force attack by someone who steals your laptop and hence
> has access to the local /etc/shadow file, but that doesn't seem like too
> huge of a security drawback to me.
>
Yep. The problem is that I don't get network (wifi) connectivity till
after I'm logged in. I guess there's some argument as to weather this is
good or bad design, but that's how it is.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
