Presence/absence of the keytab
Donn Cave
donn at u.washington.edu
Tue May 9 11:29:47 EDT 2006
In article <87irojg529.fsf at windlord.stanford.edu>,
Russ Allbery <rra at stanford.edu> wrote:
...
> The pam_krb5 modules that I've used either don't do this or only do this
> when the keytab is available, presumably doing a security vs. ease of
> deployment tradeoff. One difficulty is that if the authentication is not
> being done as root, the PAM module needs something other than the host
> keytab to use for verification, and I don't know of any PAM module that is
> configurable enough to be pointed at any keytab and use that keytab for
> verification. It would be a good thing to add, though.
Wonder if this situation is common enough to warrant library support
for some default file convention, like /etc/krb5.keytab if root,
otherwise ~/krb5.keytab.
Not to say a configurable parameter isn't a good thing, too.
Donn Cave, donn at u.washington.edu
More information about the Kerberos
mailing list