[OpenAFS] Re: is this what windows folks call "integrated login"? (but with local hashed password)
Mon, 30 Aug 2010 00:02:51 +0000
Derrick Brashear <email@example.com> writes:
>> My laptop has a local copy of my password in hashed form, so it can let
> Oh. You're not typing a password, so this won't help you.
Er, sorry, I should have been more clear about that. I am typing in my
password physically at the keyboard. My laptop has a copy of that
password on the disk in hashed format so that it can verify that I typed
in the correct password, but if somebody steals my laptop they can't
simply read my password off the disk (at least I assume MacOS does this
like all good unices do -- it would be a shame if it didn't; this is the
only reason I consider it safe to use the same password for both my
laptop's local login and my Kerberos principal).
So, anyways, lack of network access will not delay the local operating
system's decision about whether or not to let me proceed with my login.
But it may delay the acquisition of tickets. But if I'm not on the
network, then ending up logged in locally without tickets is no big deal
-- especially if there's a daemon sitting around waiting for the network
to come back. I guess it would need to be holding my unhashed password
in memory, but with encrypted swap and a screensaver password that's
still not a huge concern.