Logging on with cached ticket
Nikolay Shopik
shopik at inblock.ru
Fri Jun 5 09:44:59 EDT 2009
On 05.06.2009 17:30, Simo Sorce wrote:
> On Fri, 2009-06-05 at 17:22 +0400, Nikolay Shopik wrote:
>> On 05.06.2009 17:15, Simo Sorce wrote:
>>> Windows caches the NT hash of your password.
>>> That's how you get access w/o the KDC. Nothing to do with kerberos
>>> credentials at all.
>>
>> That's what I though for moment. Can such thing (caching MD5/whatever
>> hash locally for some period) accomplished on Linux?
>>
>> By default locking screen doesn't not produce request for new TGT, I
>> mean if workstation is locked. But can be changed via group policy.
>
> There a re a few projects that do password caching on Linux depending on
> what is your environment. The classic one I think pam_ccache, but if
> your KDC is a Windows AD server you can use winbindd which support
> offline logins (and caches users information too so it works also when
> LDAP is not available), then<shameless advertizing> there is also a
> project called SSSD I am working on</shameless advertizing> that aims
> at doing the same but for arbitrary authentication and identity sources,
> although it is still very young, and needs some maturing.
>
> I think we may be going a bit too OT for this list.
> Simo.
>
To make archive complete, you should look for pam_ccreds which is
packaged as libpam-ccreds it does thing.
Thanks Simo for tip.
More information about the Kerberos
mailing list