[Gllug] Ubuntu....

Daniel P. Berrange dan at berrange.com
Mon Oct 2 20:18:12 UTC 2006


On Mon, Oct 02, 2006 at 08:24:55PM +0100, Ryan Cartwright wrote:
> Richard Jones wrote:
> >On Mon, Oct 02, 2006 at 01:45:42PM +0100, Ryan Cartwright wrote:
> >>To date most people have asked us two questions - 1. where are my
> >>favourites and 2. why doesn't it remember my passwords. To the first we
> >>explain they are now called Bookmarks and the second we simply explian
> >>the reason we've switched that bit off.
> >
> >And why do you switch it off?
> >
> >Rich.
> < bit you snipped >
> >> people have started to (shock) remember their intranet passwords and 
> >> so can now access it from home without rining us for a reminder each 
> >> time :o).
> 
> Typos aside I was hoping that would explain it.:o) Officially it's 
> because it will help people remember their passwords for use when 
> outside the office.
> 
> Colleagues frequently use our Intranet from outside the office and those 
> who had told IE to remember their passwords kept ringing us to remind 
> them. The site (deliberately) does not have a password reminder facility 
> - not *that* many people. We don't let them set their their own 
> passwords - an even bigger security hole. We won't send passwords via 
> e-mail so they have to ring us. I know that we've created a rod for our 
> own backs there.

One other way out of this dilema is to kerberize the whole system. Firefox
fairly recently gained support for single sign-on using Kerberos / GSSAPI
and the HTTP negotiate authentication method. At the other end of the stack
there is a mod_auth_kerb module for Apache to do the server end of the 
HTTP negotiate auth. So as long as your browser has a valid kerberos ticket,
you'll never see a password again :-)  You can configure PAM to hand out
a krb ticket when logging into X, and GNOME has a daemon that'll prompt
the user to renew the ticket when it periodically expires. 

It is at little rough around the edges in places so probably not really
ready for mass deployment to Joe average user, but its getting closer...


Dan.
-- 
|=-            GPG key: http://www.berrange.com/~dan/gpgkey.txt       -=|
|=-       Perl modules: http://search.cpan.org/~danberr/              -=|
|=-           Projects: http://freshmeat.net/~danielpb/               -=|
|=-   berrange at redhat.com  -  Daniel Berrange  -  dan at berrange.com    -=|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20061002/5993a013/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list