pam-krb5 3.5 released

Markus Moeller huaraz at moeller.plus.com
Mon Jun 4 03:43:40 EDT 2007


Russ,

wouldn't it  be better from a security perspective to change the default of 
verify_ap_req_nofail. Right now if the keytab doesn not exist or the verify 
fails the user can login. Can you enforce it in pam_krb5 and only if 
verify_ap_req_nofail is set  to no ignore the check ?

Thank you
Markus


"Russ Allbery" <rra at stanford.edu> wrote in message 
news:871wgtaszp.fsf at windlord.stanford.edu...
> Markus Moeller <huaraz at moeller.plus.com> writes:
>> "Russ Allbery" <rra at stanford.edu> wrote:
>
>>> Oh, bleh.  Yeah, I misread that code; I thought it was doing something
>>> smarter.  Okay, added to the to-do list.  It shouldn't be too
>>> difficult.
>
>> The ideal would be to use something similar to GSS_C_NO_NAME (as you I
>> think intended). so that any keytab entry could be used.
>
> Yes.  Unless I'm missing something, it seems like krb5_verify_init_creds
> could use any key in the keytab (well, provided that there isn't another
> key for the same principal with a later kvno) if no particular principal
> is specified.  This would fail in cases where people have old keys in the
> keytab that no longer work, and it might fail in some interesting
> cross-realm cases with keys for other realms in the keytab, but I'd think
> those cases would be the ones where people could specify what principal to
> use for verification.  And one could do something like iterating through
> the keytab and trying each key, I suppose.
>
> -- 
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list