Presence/absence of the keytab
Marcus Watts
mdw at umich.edu
Sat May 6 01:38:58 EDT 2006
"Richard E. Silverman" <res at qoxp.net> and others wrote:
> Subject: Re: Presence/absence of the keytab
> References: <4bpb78F125ig9U1 at individual.net>
> <m2psiuqlxo.fsf at darwin.oankali.net>
> <donn-516701.09295304052006 at gnus01.u.washington.edu>
> <4buuu2F13d5okU3 at individual.net>
> <donn-7FA334.11575104052006 at gnus01.u.washington.edu>
> <4c117cF13h2l2U1 at individual.net>
> From: "Richard E. Silverman" <res at qoxp.net>
> Date: 06 May 2006 00:14:58 -0400
> Message-ID: <m2k68z4wn1.fsf at darwin.oankali.net>
> To: kerberos at mit.edu
>
> >>>>> "SL" == Scott Lowe <slowe at eplus.com> writes:
>
> SL> I was just a bit caught off-guard by the fact that the
> SL> authentication (again, via pam_krb5) worked even when the keytab
> SL> was not installed.
>
> pam_krb5 verifies your password against Kerberos, right? In that case,
> there *should* be a keytab, due to the issue alluded to earlier in this
> thread: the module should obtain a host ticket to defend against a KDC
> spoofing attack. If it let you in without that, perhaps there's a "verify
> KDC" option that's turned off (and ideally, should be turned on).
>
> --
> Richard Silverman
> res at qoxp.net
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
There's 2 easy ways pam_krb5 could use a host ticket to defend
against a host spoof attack. It could contain logic to explicitly
get a host ticket. Typically there will be calls to routines like
krb5_kt_read_service_key
krb5_mk_req
krb5_rd_req
Or it could be using the kerberos 5 library call krb5_verify_init_creds()
to do the same thing. In the latter case there is in fact an option to
control what happens when the keytab is missing. There are two ways to
invoke this:
/1/ compile-time configuration: add logic:
add variable, type: krb5_verify_init_creds_opt
initialize with
krb5_verify_init_creds_opt_init
use krb5_verify_init_creds_opt_set_ap_req_nofail
to set KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.
pass as last parm to krb5_verify_init_creds
/2/ run-time configuration:
add [libdefaults]
verify_ap_req_nofail = TRUE
to krb5.conf
At a quick glance, the "libpam-krb5 1.2.0" that comes with debian linux
does the former - hardcoded logic. Doesn't seem to be any way to
make it give up if no keytab is present, but there is a debug option
that will cause it to log helpful text when various errors occur,
including no keytab.
-Marcus Watts
More information about the Kerberos
mailing list