pam-krb5 3.5 released
Ken Raeburn
raeburn at MIT.EDU
Sun Jun 3 15:07:51 EDT 2007
On Jun 3, 2007, at 12:43, Russ Allbery wrote:
> Yes. Unless I'm missing something, it seems like
> krb5_verify_init_creds
> could use any key in the keytab (well, provided that there isn't
> another
> key for the same principal with a later kvno) if no particular
> principal
> is specified.
At least around MIT, a single key file is often used as the
distribution mechanism for all the keys to be used on a host,
regardless of whether each service runs as root or not. Obviously
keys for non-root services would have to be copied out, but that
doesn't mean that the default keytab file won't still have copies of
keys available to anyone who compromises a non-root service. So a
facility run as root should probably prefer keys most likely to be
accessible only to root, namely, the host key.
Since most uses of verify_init_creds are probably for actual login
access, I think the current behavior is probably the right default.
If no host key is present, then maybe using another key makes sense.
Ken
More information about the Kerberos
mailing list