Page Comparison

Moonshot-enabling GNOME requires the use of pam_gss, a PAM module that brings Moonshot compatibility to PAM. Unfortunately, pam_gss necessarily has to work in a way that is not generally recommended with Moonshot - the device becomes client device is not under the direct control of the user, and with pam_gss the device is both the client and the server. The consequence of this are is that the user's credentials (NAI and password) are exposed directly to the devicea device which is not the user's. Thus, you this should only consider deploying this if you understand be deployed where the implications and are happy with the risk are fully understood:

• Deployers should understand that visiting users' credentials the credentials of users using the device could be exposed on the device and take care to protect itthat device.
• Users should understand that their credential could be exposed and should thus do it only on devices managed by organisations they trust.

Due to the severity of this problem, the Moonshot project does not officially distribute pam_gss packages. Members of the community have made them available, however. The instructions on this page walk you through configuring GNOME using this community-provided code, but again - only do so if you understand the consequences.