On Tue, 2004-05-11 at 16:13, Felipe Alfaro Solana wrote: > On Tue, 2004-05-11 at 15:40, Dennis Gilmore wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Once upon a time Tuesday 11 May 2004 11:24 pm, Havoc Pennington wrote: > > > > > > > > This isn't the first strong customer request for disconnected operation. > > > I have no idea what's involved though (it seems like there would be some > > > tricky security issues?). I could ask Nalin, but public lists beat > > > hallway conversations. ;-) > > > > I see disconected authentication as the caching of just enough data to allow > > system authentication. all other authentication should be resolved when user > > becomes online again and can ask for new tickets. for instance at my old > > work i had 2 pcs and sometimes i would have one disconected from the network > > so i could use my laptop on its network port. and sometimes my password > > would expire before i could reconnect so i would use my old password but > > once i plugged back into the network i would have to reauthenticate so > > everything would work > > Although I know this is not long-term solution, to allow using my laptop > when disconnected from my LAN, I have set up a local (i.e. shadow) > password for my user account which is the same as the one in the > Kerberos real. > > Next, I configured PAM to first try pam_krb5.so and, if unable to > contact the KDC, try local shadow passwords. It works great when my KDC > is not reachable, but I must manually keep the shadow and Kerberos > password synched up. > > Until disconnected operation works transparently, this is what I'll keep > using :-) > Why can't you setup PAM to change both the Kerberos and the shadow password? Jean-Rene Cormier
