kerberos+laptop
Edward Murrell
edward at murrell.co.nz
Tue Aug 11 16:51:05 EDT 2009
I've been wondering about this problem for a while. My current solution
on my laptop is to use a normal /etc/passwd login, and run kinit once
I'm logged in.
What I would like is to allow some method of transparently caching
passwords, then creating a TGT once network connectivity if
established.
Doing so would require some smarts beyond what is available using the
current pam_krb5 and /tmp/ ccache tickets. The solution I came up with
would need something like heimdal's KCM daemon. For arguments sake, the
following procedure assumes KCM;
1) User attempts to log in on an network disconnected laptop
2) pam_krb5 connects to the local KCM daemon
3) KCM daemon discovers that network is unavailable, and checks
previously cached* password
4) If login password and cache password match, then the user can log in.
5) At some point, network connectivity is established, KCM will then
will automatically connect to the KDC via the normal methods and
generate a TGT.
6) If the account is locked or the password changed, this will be noted,
and KCM will disallow future logins and/or notify the appropriate
system (probably via D-Bus) to force a log/lock out of the user.
* The password would need to be encrypted, possibly using itself.
+ KCM would need to notice when a user has changed their own
password, and update the itself accordingly. Presumably this could be
done via PAM.
Any thoughts on this?
Cheers,
Edward
On Sat, 2009-07-18 at 13:21 -0400, David Abrahams wrote:
> Hi,
>
> I'm trying to find out what's needed to make Kerberos work well on a
> laptop that may run disconnected from its master KDC, and occasionally,
> from everything (NIC turned off). In particular, a Mac laptop, which is
> apparently already running an LKDC
> (http://www.afp548.com/article.php?story=20080709091503862). I've done
> all the googling, and got nothing conclusive. I mention the LKDC in part
> because one of the few ideas I did find was to run a slave KDC on the
> laptop, but I'm not sure whether that's even possible, given the
> required presence of the LKDC.
>
> Any help would be much appreciated, and I'd be happy to document
> anything I learn in a public place so the next guy doesn't have to
> pester this list about it.
>
> Thanks in advance,
>
More information about the Kerberos
mailing list