Presence/absence of the keytab

Marcus Watts mdw at umich.edu
Sat May 6 01:38:58 EDT 2006 

"Richard E. Silverman" <res at qoxp.net> and others wrote:
> Subject: Re: Presence/absence of the keytab
> References: <4bpb78F125ig9U1 at individual.net>
> 	<m2psiuqlxo.fsf at darwin.oankali.net>
> 	<donn-516701.09295304052006 at gnus01.u.washington.edu>
> 	<4buuu2F13d5okU3 at individual.net>
> 	<donn-7FA334.11575104052006 at gnus01.u.washington.edu>
> 	<4c117cF13h2l2U1 at individual.net>
> From: "Richard E. Silverman" <res at qoxp.net>
> Date: 06 May 2006 00:14:58 -0400
> Message-ID: <m2k68z4wn1.fsf at darwin.oankali.net>
> To: kerberos at mit.edu
> 
> >>>>> "SL" == Scott Lowe <slowe at eplus.com> writes:
> 
>     SL> I was just a bit caught off-guard by the fact that the
>     SL> authentication (again, via pam_krb5) worked even when the keytab
>     SL> was not installed.
> 
> pam_krb5 verifies your password against Kerberos, right?  In that case,
> there *should* be a keytab, due to the issue alluded to earlier in this
> thread: the module should obtain a host ticket to defend against a KDC
> spoofing attack.  If it let you in without that, perhaps there's a "verify
> KDC" option that's turned off (and ideally, should be turned on).
> 
> -- 
>   Richard Silverman
>   res at qoxp.net
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

There's 2 easy ways pam_krb5 could use a host ticket to defend
against a host spoof attack.  It could contain logic to explicitly
get a host ticket.  Typically there will be calls to routines like
	krb5_kt_read_service_key
	krb5_mk_req
	krb5_rd_req
Or it could be using the kerberos 5 library call krb5_verify_init_creds()
to do the same thing.  In the latter case there is in fact an option to
control what happens when the keytab is missing.  There are two ways to
invoke this:
	/1/ compile-time configuration: add logic:
		add variable, type: krb5_verify_init_creds_opt
		initialize with
			krb5_verify_init_creds_opt_init
		use krb5_verify_init_creds_opt_set_ap_req_nofail
			to set KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.
		pass as last parm to krb5_verify_init_creds

	/2/ run-time configuration:
		add [libdefaults]
			verify_ap_req_nofail = TRUE
		to krb5.conf

At a quick glance, the "libpam-krb5 1.2.0" that comes with debian linux
does the former - hardcoded logic.  Doesn't seem to be any way to
make it give up if no keytab is present, but there is a debug option
that will cause it to log helpful text when various errors occur,
including no keytab.

				-Marcus Watts

More information about the Kerberos mailing list