kerberos+laptop

Russ Allbery rra at stanford.edu
Tue Aug 11 17:23:31 EDT 2009


Edward Murrell <edward at murrell.co.nz> writes:
> On Tue, 2009-08-11 at 14:03 -0700, Russ Allbery wrote:

>> This wouldn't be as neat, and I don't want to discourage you from
>> pursuing the neat solution, but have you considered just stacking
>> pam_unix and pam_krb5, setting your local password to match your
>> Kerberos password, and then attempting pam_krb5 first and falling back
>> on pam_unix if pam_krb5 fails?

>> It does have the drawback of opening your Kerberos password up to an
>> off-line brute force attack by someone who steals your laptop and hence
>> has access to the local /etc/shadow file, but that doesn't seem like
>> too huge of a security drawback to me.

> Yep. The problem is that I don't get network (wifi) connectivity till
> after I'm logged in. I guess there's some argument as to weather this is
> good or bad design, but that's how it is.

Oh, I see, and then you don't get tickets because you've already
authenticated.  Right, that makes sense now.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list