Presence/absence of the keytab

Russ Allbery rra at stanford.edu
Sat May 6 01:52:19 EDT 2006


Marcus Watts <mdw at umich.edu> writes:

> Or it could be using the kerberos 5 library call
> krb5_verify_init_creds() to do the same thing.  In the latter case there
> is in fact an option to control what happens when the keytab is missing.
> There are two ways to invoke this:

> 	/1/ compile-time configuration: add logic:
> 		add variable, type: krb5_verify_init_creds_opt
> 		initialize with
> 			krb5_verify_init_creds_opt_init
> 		use krb5_verify_init_creds_opt_set_ap_req_nofail
> 			to set KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.
> 		pass as last parm to krb5_verify_init_creds

> 	/2/ run-time configuration:
> 		add [libdefaults]
> 			verify_ap_req_nofail = TRUE
> 		to krb5.conf

> At a quick glance, the "libpam-krb5 1.2.0" that comes with debian linux
> does the former - hardcoded logic.  Doesn't seem to be any way to make
> it give up if no keytab is present, but there is a debug option that
> will cause it to log helpful text when various errors occur, including
> no keytab.

Is this run-time configuration supported with both MIT Kerberos and
Heimdal?  If so, I can modify Debian's libpam-krb5 to use that approach
instead (since it looks like I'm going to end up being the upstream
maintainer of that fork of the code anyway since we need it at Stanford
and I need to add and fix a bunch of bits in it anyway).

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list