Presence/absence of the keytab
Markus Moeller
huaraz at moeller.plus.com
Thu May 4 15:33:07 EDT 2006
BTW. You don't really need a keytab. Windows uses for example its own store
and updates it regularly as part of the system trust key update.
Markus
"Donn Cave" <donn at u.washington.edu> wrote in message
news:donn-7FA334.11575104052006 at gnus01.u.washington.edu...
> In article <4buuu2F13d5okU3 at individual.net>,
> Scott Lowe <slowe at eplus.com> wrote:
>> On 2006-05-04 12:29:53 -0400, Donn Cave <donn at u.washington.edu> said:
>
>> > True, though there is a sort of grey area inhabited by services
>> > that use Kerberos to perform password authentication. This is
>> > functionally like "kinit", but semantically quite different, and
>> > without a service principal to validate the authentication results,
>> > they're vulnerable.
>> >
>> > So depending on what `successfully authenticate' actually means here,
>> > the information and instructions that say to get a service principal
>> > and a keytab may be worth listening to, even if the service appears
>> > to work without it.
>
>> I suppose if I were seeking to use a fully Kerberized server
>> application that accept Kerberos tickets from Kerberos clients, then a
>> keytab would be necessary. In this instance, the service does not
>> accept Kerberos authentication from connecting systems, but acts a
>> Kerberos client on the back-end to perform authentication (using PAM).
>> It seems to make sense, then, that a keytab would not be necessary. At
>> least, not in this situation.
>
> I guess it depends on what you mean by "necessary", but if there's
> any reasonable possibility that you could create a host service
> principal and install that keytab, I would do it. If you have
> reason to believe that the PAM authentication isn't actually using
> the keytab, I would find out why and try to get it fixed. Without
> it, you're vulnerable. Of course everything's relative, and the
> authorization you're providing with this authentication may not
> warrant the concern, but that's different than thinking it isn't
> necessary in the sense that there is no use for it, which would be
> an error.
>
> Donn Cave, donn at u.washington.edu
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list