pam-krb5 3.6 released
Russ Allbery
rra at stanford.edu
Wed Sep 19 17:44:51 EDT 2007
Sam Hartman <hartmans at mit.edu> writes:
> I wonder if krb5 should provide a setuid helper to do rd_req so that
> your keytab can be much more tightly controlled than your service?
That would certainly make me happier than having to ship one with
pam-krb5. It's a fairly straightforward helper program, I think, although
there's the question of what keytab it should use for verification and how
that can be configured.
It would be spectacularly cool if krb5_verify_init_creds just Did The
Right Thing in such a way that applications didn't have to be aware of the
existence of the helper program. And you could use
krb5_verify_init_creds_opt_set_* functions as the way of communicating the
application desires (although there probably has to be a separate
configuration of what the program is willing to do).
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list