Subject: Re: PAM and su -K
To: Roland Dowdeswell <>
From: Jason Thorpe <>
List: tech-userlevel
Date: 01/16/2005 11:22:28
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed
On Jan 16, 2005, at 10:55 AM, Roland Dowdeswell wrote:
> Presumably because if the KDC are unavailable it will take a long
> time for the libraries to time out and try local passwords. It is
> less necessary for things like Hesiod/NIS because you can organise
> /etc/nsswitch.conf to search files first for critical accounts.
Define "a long time". I have seen fairly short timeouts when the KDC
is unavailable for applications like e.g. sudo.
In any case, don't really think the argument of "in case Kerberos is
down" really holds water. What if it's Radius that you're using?
Should we add a special flag for that, too?
-- Jason R. Thorpe <>
content-type: application/pgp-signature; x-mac-type=70674453;
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit
Version: GnuPG v1.2.4 (Darwin)