pam-krb5 3.6 released

Sam Hartman hartmans at MIT.EDU
Wed Sep 19 17:36:35 EDT 2007


>>>>> "Russ" == Russ Allbery <rra at stanford.edu> writes:

    Russ> Sam Hartman <hartmans at mit.edu> writes:
    >> I think that's a mischaracterization of the problem.  You need
    >> this whenever you have a service that needs to verify passwords
    >> but that cannot be trusted with a Kerberos key of its own.  It
    >> seems like that's going to be much more common than just
    >> xscreensaver.

    Russ> True, although xscreensaver is the only practical case that
    Russ> I've heard about so far.  But I believe you that there are
    Russ> probably more.

I wonder if krb5 should provide a setuid helper to do rd_req so that your keytab can be much more tightly controlled than your service?




More information about the Kerberos mailing list