Ticket #1087 (new enhancement)

Opened 10 years ago

Last modified 9 years ago

pam_mitsecure

Reported by: geofft Owned by:
Priority: normal Milestone: The Distant Future
Component: -- Keywords:
Cc: Fixed in version:
Upstream bug:

Description

Create a PAM module to pass the provided username and password to the MIT SECURE wifi network and wait for a connection if there's no network connection, before trying to authenticate via Kerberos.

(Note that Hesiod doesn't work until you're on the network -- it's unclear to me whether the right thing happens if a user doesn't exist in NSS at the beginning of the login process and does at the end, so this might turn out to be impossible.)

Change History

comment:1 follow-up: ↓ 2 Changed 10 years ago by jdreed

It's not entirely clear to me this is a good idea, or needed. We've verified that putting NM in the gdm panel works to connect to MIT SECURE. Also, if you have a laptop, you should set up MIT SECURE once, and be done with it. There's no good reason to have it be "on demand". If there are issues about PAM's behavior at login time, I'd rather we put effort into making sure PAM has a better understanding of when it has network and when it doesn't.

comment:2 in reply to: ↑ 1 Changed 10 years ago by kaduk

Replying to jdreed:

It's not entirely clear to me this is a good idea, or needed. We've verified that putting NM in the gdm panel works to connect to MIT SECURE. Also, if you have a laptop, you should set up MIT SECURE once, and be done with it. There's no good reason to have it be "on demand". If there are issues about PAM's behavior at login time, I'd rather we put effort into making sure PAM has a better understanding of when it has network and when it doesn't.

Er, is there a way to set up MIT SECURE "just once" that does not involve leaving my password or equivalent in a file on disk? I haven't seen a whole lot of documentation on these things (though perhaps I haven't looked a whole lot), but I have negative interest in leaving my credentials sitting around like that.

comment:3 Changed 9 years ago by jdreed

I wonder if what we want here is clever keyring (or similar) integration, such that you can leave your network credentials on disk in a reasonably secure manner and bring up interfaces that require them at boot time. This may not appease people who don't want to leave their Kerberos password around anywhere, ever, but I think we've lost that battle, and this would at least bring us on a par with other consumer OSes. This also changes this ticket from an incredibly hard boostrap problem to a less hard integration problem.

Note: See TracTickets for help on using tickets.