pam-krb5 3.5 released
Russ Allbery
rra at stanford.edu
Mon Jun 4 13:21:51 EDT 2007
Markus Moeller <huaraz at moeller.plus.com> writes:
> wouldn't it be better from a security perspective to change the default
> of verify_ap_req_nofail. Right now if the keytab doesn not exist or the
> verify fails the user can login. Can you enforce it in pam_krb5 and only
> if verify_ap_req_nofail is set to no ignore the check ?
I believe this is properly left to the system administrator to decide what
behavior they want and configure krb5.conf accordingly. The man page
spells out the issues. The default behavior in MIT Kerberos is to skip
the check if the keytab is missing or doesn't have the appropriate key,
but *not* skip the check if the keytab is present and readable but the
verification fails, which seems like a good compromise between security
and ease of deployment to me.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list