Security issue with pam-krb5 ?

Sam Hartman hartmans at MIT.EDU
Thu Aug 28 15:54:08 EDT 2003

>>>>> "Brian" == Brian Davidson <bdavids1 at> writes:

    Brian> On Wednesday, August 27, 2003, at 02:16 PM, Matthijs
    Brian> Mohlmann wrote:
    >>  Am i right when i say libpam-krb5 send's the password
    >> cleartext over the network ?

    Brian> libpam-krb5 attempts to obtain a TGT from your KDC.
    Brian> Successfully obtaining a TGT means you are authenticated.

Actually, no, you need to verify this TGT against some known service
principal like the local host key.

Successfully obtaining a TGT only implies authentication if the user
anda spoofed  KDC aren't cooperating.

More information about the Kerberos mailing list