pam-krb5 3.5 released
Russ Allbery
rra at stanford.edu
Fri Jun 1 15:55:29 EDT 2007
Markus Moeller <huaraz at moeller.plus.com> writes:
> 1) The application runs as non root and I'd like to use the keytab check
> to verify that it came from the right kdc. At the moment your code
> allows to change the keytab file itself but not the service. It always
> looks for the host principal. Can you add an option to change this to
> another principal so I can keep the system keytab only accessible by
> root.
I'm pretty sure this is not the case. The PAM module just calls
krb5_verify_init_creds, and at least in the MIT implementation, it uses
whatever key it can find in the keytab to do the verification. It doesn't
have to use a host key.
> 2) Since the application doesn't need to check the existence of the user
> on the OS can you add an option to not use the OS user check with
> getpwnam ( as you mention in the code it means pam_setcred and
> pam_open_session don't work, but that would not be needed anyway) ? I
> would need only the auth and account feature of pam.
The module only calls getpwnam for session-related functions and to find
the user's .k5login file, and has fallback logic for the latter, so as
near as I can tell, this feature is already implemented. What specific
problems are you having?
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list