Presence/absence of the keytab
Russ Allbery
rra at stanford.edu
Sat May 6 00:17:34 EDT 2006
Richard E Silverman <res at qoxp.net> writes:
>>>>>> "SL" == Scott Lowe <slowe at eplus.com> writes:
> SL> I was just a bit caught off-guard by the fact that the
> SL> authentication (again, via pam_krb5) worked even when the keytab
> SL> was not installed.
> pam_krb5 verifies your password against Kerberos, right? In that case,
> there *should* be a keytab, due to the issue alluded to earlier in this
> thread: the module should obtain a host ticket to defend against a KDC
> spoofing attack. If it let you in without that, perhaps there's a
> "verify KDC" option that's turned off (and ideally, should be turned
> on).
The pam_krb5 modules that I've used either don't do this or only do this
when the keytab is available, presumably doing a security vs. ease of
deployment tradeoff. One difficulty is that if the authentication is not
being done as root, the PAM module needs something other than the host
keytab to use for verification, and I don't know of any PAM module that is
configurable enough to be pointed at any keytab and use that keytab for
verification. It would be a good thing to add, though.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list