pam-krb5 3.6 released

Russ Allbery rra at stanford.edu
Wed Sep 19 17:44:51 EDT 2007


Sam Hartman <hartmans at mit.edu> writes:

> I wonder if krb5 should provide a setuid helper to do rd_req so that
> your keytab can be much more tightly controlled than your service?

That would certainly make me happier than having to ship one with
pam-krb5.  It's a fairly straightforward helper program, I think, although
there's the question of what keytab it should use for verification and how
that can be configured.

It would be spectacularly cool if krb5_verify_init_creds just Did The
Right Thing in such a way that applications didn't have to be aware of the
existence of the helper program.  And you could use
krb5_verify_init_creds_opt_set_* functions as the way of communicating the
application desires (although there probably has to be a separate
configuration of what the program is willing to do).

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list