pam-krb5 3.6 released

Russ Allbery rra at stanford.edu
Wed Sep 19 19:03:05 EDT 2007


"Markus Moeller" <huaraz at moeller.plus.com> writes:

> I have a case were an application uses pam calls to authenticate users
> (selected by a seperate pam.conf line or pam.d/appl file). This
> application will be maintained by an application support group which
> generally does not need root access and the application itself runs also
> as non root to avoid more serious system compromises.  To make sure that
> I the server talks to the right kdc I'd like to verify the ticket
> against a keytab. As you say your code supports different keytabs which
> is fine, but your verify call krb5_verify_init_creds uses NULL as
> principal which means it requires a host/fqdn principal in the keytab to
> which I don't want to give access to.  I prefer to use another principal
> like app1/fqdn which can be managed by the application support team. To
> do so I need an option for pam_krb5 to select the principal or a way to
> set GSS_C_NO_NAME.

> Is that an unusual case ?

Oh, right.  Hm, how did I manage to not make a note of that?  I remember
this case and I talked myself into thinking that I'd already fixed it.

Most of what you need is already there in the keytab option to use a
different keytab, but pam-krb5 also has to provide an option to specify
what principal to use.  I was going to add that (it's not hard) but
completely forgot.

I'm fairly sure that you have to tell krb5_verify_init_creds what
principal you're going to use; you can't just tell it to use whatever is
in the keytab.  I'm not sure why, though.  It would be nice, if you pass
in NULL, for it to just use whatever key it finds.

Okay, I'm adding this to TODO right away this time so that I won't forget
it and it will be in the next release.  Sorry about that.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list