pam-krb5 3.5 released

Markus Moeller huaraz at moeller.plus.com
Mon Jun 4 14:36:20 EDT 2007 

"Russ Allbery" <rra at stanford.edu> wrote in message 
news:87ps4by6s0.fsf at windlord.stanford.edu...
> Markus Moeller <huaraz at moeller.plus.com> writes:
>
>> wouldn't it be better from a security perspective to change the default
>> of verify_ap_req_nofail. Right now if the keytab doesn not exist or the
>> verify fails the user can login. Can you enforce it in pam_krb5 and only
>> if verify_ap_req_nofail is set to no ignore the check ?
>
> I believe this is properly left to the system administrator to decide what
> behavior they want and configure krb5.conf accordingly.  The man page
> spells out the issues.  The default behavior in MIT Kerberos is to skip
> the check if the keytab is missing or doesn't have the appropriate key,
> but *not* skip the check if the keytab is present and readable but the
> verification fails, which seems like a good compromise between security
> and ease of deployment to me.
>

Is this different in Opensolaris ? It states if undefined it is set to true. 
I guess that is
what I have to set then always in krb5.conf.

    verify_ap_req_nofail [true | false]

SunOS 5.11          Last change: 30 Aug 2006                    6

File Formats                                         krb5.conf(4)

         If true, the local keytab  file  (/etc/krb5/krb5.keytab)
         must  contain an entry for the local host principal, for
         example, host/foo.bar.com at FOO.COM. This entry is  needed
         to  verify that the TGT requested was issued by the same
         KDC that issued the key for the host principal. If unde-
         fined,  the  behavior  is  as if this option were set to
         true. Setting this value  to  false  leaves  the  system
         vulnerable  to  DNS spoofing attacks. This parameter can
         be in the [realms] section to  set  it  on  a  per-realm
         basis, or it can be in the [libdefaults] section to make
         it a network-wide setting for all realms.


> -- 
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

Thanks
Markus

More information about the Kerberos mailing list