pam-krb5 3.5 released
Markus Moeller
huaraz at moeller.plus.com
Mon Jun 4 03:43:40 EDT 2007
Russ,
wouldn't it be better from a security perspective to change the default of
verify_ap_req_nofail. Right now if the keytab doesn not exist or the verify
fails the user can login. Can you enforce it in pam_krb5 and only if
verify_ap_req_nofail is set to no ignore the check ?
Thank you
Markus
"Russ Allbery" <rra at stanford.edu> wrote in message
news:871wgtaszp.fsf at windlord.stanford.edu...
> Markus Moeller <huaraz at moeller.plus.com> writes:
>> "Russ Allbery" <rra at stanford.edu> wrote:
>
>>> Oh, bleh. Yeah, I misread that code; I thought it was doing something
>>> smarter. Okay, added to the to-do list. It shouldn't be too
>>> difficult.
>
>> The ideal would be to use something similar to GSS_C_NO_NAME (as you I
>> think intended). so that any keytab entry could be used.
>
> Yes. Unless I'm missing something, it seems like krb5_verify_init_creds
> could use any key in the keytab (well, provided that there isn't another
> key for the same principal with a later kvno) if no particular principal
> is specified. This would fail in cases where people have old keys in the
> keytab that no longer work, and it might fail in some interesting
> cross-realm cases with keys for other realms in the keytab, but I'd think
> those cases would be the ones where people could specify what principal to
> use for verification. And one could do something like iterating through
> the keytab and trying each key, I suppose.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list