Security issue with pam-krb5 ?

peter duff duffpl at
Fri Aug 29 14:34:10 EDT 2003

Brian Davidson wrote:
> Now that you mention it, I do see the potential
danger of a spoofed 
> KDC...  host keys still aren't _required_ by
libpam-krb5, as far as I 
> know.  Am I missing something?

No - you're not missing anything.  In the least,
redhat's pam_krb5 doesnt do this check.
>From /usr/share/doc/pam_krb5 on redhat 9:

"The new TGT is validated using a copy of the key for
the local workstation's host service if it is found in
the local keytab file."

So, only if the keytab exists, the check is done.

I think you also need 'validate=true' for this check
to be done.

You should check exactly how your pam_krb5
implementation reacts under these circumstances.



Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!

More information about the Kerberos mailing list