Presence/absence of the keytab
Donn Cave
donn at u.washington.edu
Thu May 4 14:57:51 EDT 2006
In article <4buuu2F13d5okU3 at individual.net>,
Scott Lowe <slowe at eplus.com> wrote:
> On 2006-05-04 12:29:53 -0400, Donn Cave <donn at u.washington.edu> said:
> > True, though there is a sort of grey area inhabited by services
> > that use Kerberos to perform password authentication. This is
> > functionally like "kinit", but semantically quite different, and
> > without a service principal to validate the authentication results,
> > they're vulnerable.
> >
> > So depending on what `successfully authenticate' actually means here,
> > the information and instructions that say to get a service principal
> > and a keytab may be worth listening to, even if the service appears
> > to work without it.
> I suppose if I were seeking to use a fully Kerberized server
> application that accept Kerberos tickets from Kerberos clients, then a
> keytab would be necessary. In this instance, the service does not
> accept Kerberos authentication from connecting systems, but acts a
> Kerberos client on the back-end to perform authentication (using PAM).
> It seems to make sense, then, that a keytab would not be necessary. At
> least, not in this situation.
I guess it depends on what you mean by "necessary", but if there's
any reasonable possibility that you could create a host service
principal and install that keytab, I would do it. If you have
reason to believe that the PAM authentication isn't actually using
the keytab, I would find out why and try to get it fixed. Without
it, you're vulnerable. Of course everything's relative, and the
authorization you're providing with this authentication may not
warrant the concern, but that's different than thinking it isn't
necessary in the sense that there is no use for it, which would be
an error.
Donn Cave, donn at u.washington.edu
More information about the Kerberos
mailing list