On Tue, 2004-05-11 at 15:40, Dennis Gilmore wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Once upon a time Tuesday 11 May 2004 11:24 pm, Havoc Pennington wrote: > > > > > This isn't the first strong customer request for disconnected operation. > > I have no idea what's involved though (it seems like there would be some > > tricky security issues?). I could ask Nalin, but public lists beat > > hallway conversations. ;-) > > I see disconected authentication as the caching of just enough data to allow > system authentication. all other authentication should be resolved when user > becomes online again and can ask for new tickets. for instance at my old > work i had 2 pcs and sometimes i would have one disconected from the network > so i could use my laptop on its network port. and sometimes my password > would expire before i could reconnect so i would use my old password but > once i plugged back into the network i would have to reauthenticate so > everything would work Although I know this is not long-term solution, to allow using my laptop when disconnected from my LAN, I have set up a local (i.e. shadow) password for my user account which is the same as the one in the Kerberos real. Next, I configured PAM to first try pam_krb5.so and, if unable to contact the KDC, try local shadow passwords. It works great when my KDC is not reachable, but I must manually keep the shadow and Kerberos password synched up. Until disconnected operation works transparently, this is what I'll keep using :-)
