On 25/03/13 13:25, Stephen Frost wrote:
> Tim,
>
> * Tim Watts (tim.j.watts@kcl.ac.uk) wrote:
>> I would have to respectfully take another point of view: that that
>> particular judgement is probably better placed with the sysadmin
>> rather than a blanket decision by the devs.
>
> It's not a blanket decision by any means- the current situation is that
> such an option doesn't exist. It's not "it exists, but we disabled it
> because we felt like it."
>
> Were someone to write the code to support such an option, it's entirely
> possible it'd get committed (though likely with strong caveats about its
> use in the documentation).
That's totally fair... Not sure if I could. I hacked an option into
Samba from a cold start once. On an equal footing, OpenLDAP's source
code totally defeated me ;-> I might have a look to see if it looks
"trivial" or "hard".
>> Reason: Whilst the argument is solid in an ideal world (all clients
>> are part of the kerberos realm), in reality it means that I cannot
>> gain partial security improvements and I have to leave it running
>> with PAM auth which ensures that passwords are chucked around 100%
>> of the time.
>
> The pg_hba.conf allows you to migrate users or sets of users at a time.
> Having a fall-back mechanism if Kerberos doesn't work is a different
> thing. My experience has been that all clients (or at least, all in a
> given IP range or for a set of users) *are* part of the Kerberos realm
> because they're coming from Active Directory or another entrenched
> Kerberos installation. That's specifically because that's how
> Kerberos is intended to work and how it provides a strong
> authentication mechanism.
I think that laptops[1] and "BYOD" (Bring your own device, eg *pads) are
going to make that scenario less common.
[1] OK - it is perfectly possible to have a managed laptop. But it's
harder than a managed desktop so I've not seen it outside of very large
corporations with draconian policies on using their and only their devices.
>> But it would be nice to be able to use kerberos tickets *where
>> available* and fallback to password-interactive login where not.
>
> And I continue to contend that this is a very bad idea.
But less bad than not using kerberos for anything...
Cheers
Tim
--
Tim Watts Tel (VOIP): +44 (0)1580 848360
Systems Manager Digital Humanities, King's College London
Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/
Personal Blog: http://squiddy.blog.dionic.net/
"She got her looks from her father. He's a plastic surgeon."
