Subject: Re: PAM and su -K
To: Jason Thorpe <thorpej@shagadelic.org>
From: Roland Dowdeswell <elric@imrryr.org>
List: tech-userlevel
Date: 01/16/2005 14:46:43
On 1105903348 seconds since the Beginning of the UNIX epoch
Jason Thorpe wrote:
>
>> Presumably because if the KDC are unavailable it will take a long
>> time for the libraries to time out and try local passwords. It is
>> less necessary for things like Hesiod/NIS because you can organise
>> /etc/nsswitch.conf to search files first for critical accounts.
>
>Define "a long time". I have seen fairly short timeouts when the KDC
>is unavailable for applications like e.g. sudo.
It depends on the Kerberos implementation. Looks like on my -current
laptop it is about 15s which is not too bad.
>In any case, don't really think the argument of "in case Kerberos is
>down" really holds water. What if it's Radius that you're using?
>Should we add a special flag for that, too?
No. We probably have to do away with the -K flag and accept that
although PAM provides a number of advantages---there are disadvantages
too.
One could define local passwds first in PAM, but this only works
properly if you make sure that your local passwds are different
than your Kerberos passwds (which, of course you should do anyway.)
There is a problem with that approach with su(1), though, which is
that it isn't clear [to me, last time I looked] how to make sure
that the kerberos pam module's prompt is used even though the unix
module will get the first crack at the passwd.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/