kerberos+laptop
Russ Allbery
rra at stanford.edu
Tue Aug 11 17:23:31 EDT 2009
Edward Murrell <edward at murrell.co.nz> writes:
> On Tue, 2009-08-11 at 14:03 -0700, Russ Allbery wrote:
>> This wouldn't be as neat, and I don't want to discourage you from
>> pursuing the neat solution, but have you considered just stacking
>> pam_unix and pam_krb5, setting your local password to match your
>> Kerberos password, and then attempting pam_krb5 first and falling back
>> on pam_unix if pam_krb5 fails?
>> It does have the drawback of opening your Kerberos password up to an
>> off-line brute force attack by someone who steals your laptop and hence
>> has access to the local /etc/shadow file, but that doesn't seem like
>> too huge of a security drawback to me.
> Yep. The problem is that I don't get network (wifi) connectivity till
> after I'm logged in. I guess there's some argument as to weather this is
> good or bad design, but that's how it is.
Oh, I see, and then you don't get tickets because you've already
authenticated. Right, that makes sense now.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list