On Tue, 2004-05-11 at 08:05, Dennis Gilmore wrote: > Once upon a time Wednesday 12 May 2004 12:00 am, Chris Ricker wrote: > > On Tue, 11 May 2004, Dennis Gilmore wrote: > > > > Why invent a new caching? We already have an off-line authentication system > > -- standard Unix authentication. Rather than caching authentication, I'd > > just like fall back to local accounts when disconnected. When I'm in the > > airport, I should still be able to log into my laptop authenticating > > against /etc/shadow even though I'm either not on a network, or on a > > network but not able to access my ldap server, my kdc, etc. > > > > later, > > chris > > because organisations with thousands of users want to setup authentication > once only in a central place and have that information used for many > different services and servers as well as different machines. The standard way I have seen it implemented on other versions of Linux (here and other large organizations) is that the central authentication is used first in the pam stack and if it fails/isnt available you get authorized against the local password db which if it works lets you in. In this scenario the person only gets network credentials if the kerberos server is there and cant get off the box otherwise. Anything else is considered too security prone because the attacker already has physical access to the asset. -- Stephen John Smoogen smoogen@xxxxxxxx Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- You should consider any operational computer to be a security problem --
