[31361] in Kerberos
Re: kerberos+laptop
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Aug 11 17:23:56 2009
To: Edward Murrell <edward@murrell.co.nz>
In-Reply-To: <1250025418.25839.19.camel@entropy> (Edward Murrell's message of
"Wed\, 12 Aug 2009 09\:16\:58 +1200")
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 11 Aug 2009 14:23:31 -0700
Message-ID: <87skfy3uzw.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Edward Murrell <edward@murrell.co.nz> writes:
> On Tue, 2009-08-11 at 14:03 -0700, Russ Allbery wrote:
>> This wouldn't be as neat, and I don't want to discourage you from
>> pursuing the neat solution, but have you considered just stacking
>> pam_unix and pam_krb5, setting your local password to match your
>> Kerberos password, and then attempting pam_krb5 first and falling back
>> on pam_unix if pam_krb5 fails?
>> It does have the drawback of opening your Kerberos password up to an
>> off-line brute force attack by someone who steals your laptop and hence
>> has access to the local /etc/shadow file, but that doesn't seem like
>> too huge of a security drawback to me.
> Yep. The problem is that I don't get network (wifi) connectivity till
> after I'm logged in. I guess there's some argument as to weather this is
> good or bad design, but that's how it is.
Oh, I see, and then you don't get tickets because you've already
authenticated. Right, that makes sense now.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
