pam-krb5 3.6 released

Markus Moeller huaraz at moeller.plus.com
Fri Sep 21 15:54:59 EDT 2007


Thank you
Markus

"Russ Allbery" <rra at stanford.edu> wrote in message 
news:87bqbyjm1i.fsf at windlord.stanford.edu...
> "Markus Moeller" <huaraz at moeller.plus.com> writes:
>
>> I have a case were an application uses pam calls to authenticate users
>> (selected by a seperate pam.conf line or pam.d/appl file). This
>> application will be maintained by an application support group which
>> generally does not need root access and the application itself runs also
>> as non root to avoid more serious system compromises.  To make sure that
>> I the server talks to the right kdc I'd like to verify the ticket
>> against a keytab. As you say your code supports different keytabs which
>> is fine, but your verify call krb5_verify_init_creds uses NULL as
>> principal which means it requires a host/fqdn principal in the keytab to
>> which I don't want to give access to.  I prefer to use another principal
>> like app1/fqdn which can be managed by the application support team. To
>> do so I need an option for pam_krb5 to select the principal or a way to
>> set GSS_C_NO_NAME.
>
>> Is that an unusual case ?
>
> Oh, right.  Hm, how did I manage to not make a note of that?  I remember
> this case and I talked myself into thinking that I'd already fixed it.
>
> Most of what you need is already there in the keytab option to use a
> different keytab, but pam-krb5 also has to provide an option to specify
> what principal to use.  I was going to add that (it's not hard) but
> completely forgot.
>
> I'm fairly sure that you have to tell krb5_verify_init_creds what
> principal you're going to use; you can't just tell it to use whatever is
> in the keytab.  I'm not sure why, though.  It would be nice, if you pass
> in NULL, for it to just use whatever key it finds.
>
> Okay, I'm adding this to TODO right away this time so that I won't forget
> it and it will be in the next release.  Sorry about that.
>
> -- 
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list