Presence/absence of the keytab
Richard E. Silverman
res at qoxp.net
Sat May 6 00:14:58 EDT 2006
>>>>> "SL" == Scott Lowe <slowe at eplus.com> writes:
SL> I was just a bit caught off-guard by the fact that the
SL> authentication (again, via pam_krb5) worked even when the keytab
SL> was not installed.
pam_krb5 verifies your password against Kerberos, right? In that case,
there *should* be a keytab, due to the issue alluded to earlier in this
thread: the module should obtain a host ticket to defend against a KDC
spoofing attack. If it let you in without that, perhaps there's a "verify
KDC" option that's turned off (and ideally, should be turned on).
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list