kerberos+laptop
Edward Murrell
edward at murrell.co.nz
Tue Aug 11 17:16:58 EDT 2009
On Tue, 2009-08-11 at 14:03 -0700, Russ Allbery wrote:
> Edward Murrell <edward at murrell.co.nz> writes:
>
> > I've been wondering about this problem for a while. My current solution
> > on my laptop is to use a normal /etc/passwd login, and run kinit once
> > I'm logged in.
> >
> > What I would like is to allow some method of transparently caching
> > passwords, then creating a TGT once network connectivity if established.
>
> This wouldn't be as neat, and I don't want to discourage you from pursuing
> the neat solution, but have you considered just stacking pam_unix and
> pam_krb5, setting your local password to match your Kerberos password, and
> then attempting pam_krb5 first and falling back on pam_unix if pam_krb5
> fails?
>
> It does have the drawback of opening your Kerberos password up to an
> off-line brute force attack by someone who steals your laptop and hence
> has access to the local /etc/shadow file, but that doesn't seem like too
> huge of a security drawback to me.
>
Yep. The problem is that I don't get network (wifi) connectivity till
after I'm logged in. I guess there's some argument as to weather this is
good or bad design, but that's how it is.
More information about the Kerberos
mailing list