systematic Kerberization

[Jean-Rene Cormier]

On Tue, 2004-05-11 at 16:13, Felipe Alfaro Solana wrote:
> On Tue, 2004-05-11 at 15:40, Dennis Gilmore wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Once upon a time Tuesday 11 May 2004 11:24 pm, Havoc Pennington wrote:
> > 
> > >
> > > This isn't the first strong customer request for disconnected operation.
> > > I have no idea what's involved though (it seems like there would be some
> > > tricky security issues?). I could ask Nalin, but public lists beat
> > > hallway conversations. ;-)
> > 
> > I see disconected authentication as the caching of just enough data to allow 
> > system authentication.  all other authentication should be resolved when user 
> > becomes online again and can ask for new tickets.  for instance  at my old 
> > work i had 2 pcs  and sometimes i would have one disconected from the network 
> > so i could use my laptop on its network port.  and sometimes my password 
> > would expire before i could reconnect  so i would use my old password  but 
> > once i plugged back into the network i would have to reauthenticate so 
> > everything would work
> 
> Although I know this is not long-term solution, to allow using my laptop
> when disconnected from my LAN, I have set up a local (i.e. shadow)
> password for my user account which is the same as the one in the
> Kerberos real.
> 
> Next, I configured PAM to first try pam_krb5.so and, if unable to
> contact the KDC, try local shadow passwords. It works great when my KDC
> is not reachable, but I must manually keep the shadow and Kerberos
> password synched up.
> 
> Until disconnected operation works transparently, this is what I'll keep
> using :-)
> 

Why can't you setup PAM to change both the Kerberos and the shadow
password? 

Jean-Rene Cormier