kerberos+laptop

[Russ Allbery]

Edward Murrell <edward at murrell.co.nz> writes:

> I've been wondering about this problem for a while. My current solution
> on my laptop is to use a normal /etc/passwd login, and run kinit once
> I'm logged in.
>
> What I would like is to allow some method of transparently caching
> passwords, then creating a TGT once network connectivity if established.

This wouldn't be as neat, and I don't want to discourage you from pursuing
the neat solution, but have you considered just stacking pam_unix and
pam_krb5, setting your local password to match your Kerberos password, and
then attempting pam_krb5 first and falling back on pam_unix if pam_krb5
fails?

It does have the drawback of opening your Kerberos password up to an
off-line brute force attack by someone who steals your laptop and hence
has access to the local /etc/shadow file, but that doesn't seem like too
huge of a security drawback to me.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>