pam-krb5 3.6 released

Russ Allbery rra at stanford.edu
Wed Sep 19 15:56:40 EDT 2007


"Markus Moeller" <huaraz at moeller.plus.com> writes:

> Did you have a chance to look at the keytab verification problem I
> mentioned some time ago ?  Right now you need to have a host/fqdn entry
> to verify the tickets, but this means the application needs to run as
> root (Assuming verify_ap_req_nofail is set to true which I think should
> be the default for pam anyway)

It doesn't need to run as root but it does need to have read access to
some keytab.  That keytab can be anything you choose and there's already a
configuration option for that.

There is a request for some way of verifying tickets against a keytab that
isn't readable by the user who is running the program that is doing ticket
verification, which is useful in some specific limited situations on
multi-user machines with xlock.  This, however, looks like it requires a
setuid or setgid helper program and a Kerberos v5 authentication over a
private socket, and I'm not really sure that I want to try to maintain
that code.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list