tech-net: Re: kerberos on laptops

Subject: Re: kerberos on laptops
To: Jun-ichiro itojun Hagino <itojun@iijlab.net>
From: Nathan J. Williams <nathanw@MIT.EDU>
List: tech-net
Date: 12/31/2000 12:03:27
<itojun@iijlab.net> (Jun-ichiro itojun Hagino) writes:

> 	what is the best strategy to run kerberos on laptops?
> 	by "laptops", i mean:
> 	- we may not have IP address at all (modulo loopback)
> 	- IP address changes over time
> 	- i don't want kinit/login to stuck forever when there's no connectivity
> 	if you have a good way of doing it, please let me know...

Let's step back a moment and ask what you're trying to accomplish with
Kerberos. Here are the uses that come to mind:

        a) log on locally with a kerberos-managed password
        b) acquire credentials for accessing services at some point in
           the future (single-signon)
        c) access local kerberos-authenticated services
        d) access remote kerberos-authenticated services


> 	i tried to run slave kdc on laptop, and have "localhost" in
> 	/etc/krb5.conf, however the attempt was failed as seen on PR 11860.
> 	(database synchronization is another issue - it would be easier if
> 	we have a database synchronization tool which uses tcp session
> 	initiated by slave, not master...)

Running a slave KDC is an interesting approach, but I'm not going to
consider it a general solution, because I'm certain that it is
contrary to the security policy of most Kerberos sites.

Given that constraint, we can look at accomplishing the tasks above.

None of them will work if you aren't network-connected. For (a), our
code should be able to fall back to other authentication methods (say,
/etc/passwd) rather than hang. For (b), logging in as in (a) and
running kinit manually is the best you can do. (c) is an interesting
problem, but I think it's also just not possible. If you want to
access local services, with no network. use local authentication. (d)
doesn't make sense if you're not connected.

For the changing-addresses case, your options are to get new tickets
for each address, or to get no-address tickets (--no-addresses to
kinit; I thought there was a krb5.conf flag to make this the default,
but I can't find it).

The only part of this that can really be solved within the Kerberos
model is keeping logins from hanging and using local authentication.

        - Nathan