pam-krb5 3.5 released

Russ Allbery rra at stanford.edu
Fri Jun 1 15:55:29 EDT 2007


Markus Moeller <huaraz at moeller.plus.com> writes:

> 1) The application runs as non root and I'd like to use the keytab check
> to verify that it came from the right kdc. At the moment your code
> allows to change the keytab file itself but not the service. It always
> looks for the host principal. Can you add an option to change this to
> another principal so I can keep the system keytab only accessible by
> root.

I'm pretty sure this is not the case.  The PAM module just calls
krb5_verify_init_creds, and at least in the MIT implementation, it uses
whatever key it can find in the keytab to do the verification.  It doesn't
have to use a host key.

> 2) Since the application doesn't need to check the existence of the user
> on the OS can you add an option to not use the OS user check with
> getpwnam ( as you mention in the code it means pam_setcred and
> pam_open_session don't work, but that would not be needed anyway) ? I
> would need only the auth and account feature of pam.

The module only calls getpwnam for session-related functions and to find
the user's .k5login file, and has fallback logic for the latter, so as
near as I can tell, this feature is already implemented.  What specific
problems are you having?

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list