The closest thing to Kerberos at one client is Active Directory. On Jun 10, 2010, at 11:41 PM, Phillip Moore wrote:
> > Oh, I'm not dropping PAM. It's perfectly reasonable as coded. > > The issue is just the password caching. The code's there, and it works, but > I'd prefer NOT to do something that makes security pros scoff at us. > > Baldwin, do you have kerberos infrastructure you can leverage in your > environment? > > On Thu, Jun 10, 2010 at 11:36 PM, Baldwin Sung 宋志瑞 <[email protected]> wrote: > IMHO, the next version of EFS should only support Kerberos. If anybody wants > to keep the password caching, stay with the current version of EFS. Keep the > PAM support, who knows what else might be plugged in later on. > > On Jun 10, 2010, at 11:26 PM, Phillip Moore wrote: > > > Now that we have Kerberos authentication, I don't want to rip out the PAM > > support, since non-Kerberos enabled sites should be to use EFS. > > > > But, given the ugliness and complexity of the password caching code, and > > the fact that every last security expert won't like it (and we don't have > > much grounds to argue with them), why not just trash it? > > > > IOW, you'll still be able to authenticate password in efsd via PAM, but the > > client will require you to submit the password every time, instead of > > caching it (or attempting to) in ~/.efsconfig. > > > > Thoughts? > > > > _______________________________________________ > > EFS-dev mailing list > > [email protected] > > http://mailman.openefs.org/mailman/listinfo/efs-dev > > _______________________________________________ > EFS-dev mailing list > [email protected] > http://mailman.openefs.org/mailman/listinfo/efs-dev > > _______________________________________________ > EFS-dev mailing list > [email protected] > http://mailman.openefs.org/mailman/listinfo/efs-dev
_______________________________________________ EFS-dev mailing list [email protected] http://mailman.openefs.org/mailman/listinfo/efs-dev
