[Gllug] Ubuntu....

Ryan Cartwright ryan at crimperman.org
Mon Oct 2 21:55:15 UTC 2006


Daniel P. Berrange wrote:
> On Mon, Oct 02, 2006 at 08:24:55PM +0100, Ryan Cartwright wrote:
>> Richard Jones wrote:
>>> On Mon, Oct 02, 2006 at 01:45:42PM +0100, Ryan Cartwright wrote:
>>>> To date most people have asked us two questions - 1. where are my
>>>> favourites and 2. why doesn't it remember my passwords. To the first we
>>>> explain they are now called Bookmarks and the second we simply explian
>>>> the reason we've switched that bit off.
>>> And why do you switch it off?
>>>
>>> Rich.
>> < bit you snipped >
>>>> people have started to (shock) remember their intranet passwords and 
>>>> so can now access it from home without rining us for a reminder each 
>>>> time :o).
>> Typos aside I was hoping that would explain it.:o) Officially it's 
>> because it will help people remember their passwords for use when 
>> outside the office.
>>
>> Colleagues frequently use our Intranet from outside the office and those 
>> who had told IE to remember their passwords kept ringing us to remind 
>> them. The site (deliberately) does not have a password reminder facility 
>> - not *that* many people. We don't let them set their their own 
>> passwords - an even bigger security hole. We won't send passwords via 
>> e-mail so they have to ring us. I know that we've created a rod for our 
>> own backs there.
> 
> One other way out of this dilema is to kerberize the whole system. Firefox
> fairly recently gained support for single sign-on using Kerberos / GSSAPI
> and the HTTP negotiate authentication method. At the other end of the stack
> there is a mod_auth_kerb module for Apache to do the server end of the 
> HTTP negotiate auth. So as long as your browser has a valid kerberos ticket,
> you'll never see a password again :-)  You can configure PAM to hand out
> a krb ticket when logging into X, and GNOME has a daemon that'll prompt
> the user to renew the ticket when it periodically expires. 

The bit I didn't mention is that these people may access it from 
different equipment. So there's little point using something like 
Kerberos if they're signing on from different machines (unless my 
understanding of it is wrong).

Not only that but the clients are Windoze based (except those in IT :o) 
)[1]. Believe me I am working on this - gradually weaning people off MS 
Office is the second step (IE being the first). Office 2007 will help 
with that - showed some people (usually MS fans) the screenshots for the 
office "ribbon" and was pleased to hear gasps of shock and threats that 
we had better not buy it!.

Ryan
[1] I mention this only because you mentioned X. I am aware of the idea 
that Kerberos will "work" with Windows single sign-on.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list