Presence/absence of the keytab
Scott Lowe
slowe at eplus.com
Tue May 16 09:34:19 EDT 2006
On 2006-05-08 13:22:40 -0400, Scott Lowe <slowe at eplus.com> said:
> On 2006-05-06 00:14:58 -0400, "Richard E. Silverman" <res at qoxp.net> said:
>
>>>>>>> "SL" == Scott Lowe <slowe at eplus.com> writes:
>>
>> SL> I was just a bit caught off-guard by the fact that the
>> SL> authentication (again, via pam_krb5) worked even when the keytab
>> SL> was not installed.
>>
>> pam_krb5 verifies your password against Kerberos, right? In that case,
>> there *should* be a keytab, due to the issue alluded to earlier in this
>> thread: the module should obtain a host ticket to defend against a KDC
>> spoofing attack. If it let you in without that, perhaps there's a "verify
>> KDC" option that's turned off (and ideally, should be turned on).
>
> It looks as if there is a parameter for pam_krb5 (the parameter is
> "validate") that requires validation of the TGT (see
> <http://www.die.net/doc/linux/man/man5/pam_krb5.5.html>). The default
> value is false, which is why I assume that the absence of the keytab
> didn't matter. I would guess that setting this parameter to true would
> cause authentication via pam_krb5 to fail if the keytab is not present.
> I intend to test this and will post back any results as soon as I have
> them.
>
> Thanks again for everyone's time and responses.
I performed some additional testing (using CentOS 4.3 and pam_krb5--not
sure which version, but it was the version included with the
distribution) and the "validate" parameter has no effect on the
module's operation. Authentication via pam_krb5 occurred successfully
(either via console login or via ssh) whether the keytab was present or
not.
This supports Russ' earlier statement that the pam_krb5 modules he's
worked with just don't do this or only do this when the keytab is
available.
--
Regards,
Scott Lowe
ePlus Technology Inc.
More information about the Kerberos
mailing list