pam-krb5 3.6 released
Markus Moeller
huaraz at moeller.plus.com
Fri Sep 21 15:54:59 EDT 2007
Thank you
Markus
"Russ Allbery" <rra at stanford.edu> wrote in message
news:87bqbyjm1i.fsf at windlord.stanford.edu...
> "Markus Moeller" <huaraz at moeller.plus.com> writes:
>
>> I have a case were an application uses pam calls to authenticate users
>> (selected by a seperate pam.conf line or pam.d/appl file). This
>> application will be maintained by an application support group which
>> generally does not need root access and the application itself runs also
>> as non root to avoid more serious system compromises. To make sure that
>> I the server talks to the right kdc I'd like to verify the ticket
>> against a keytab. As you say your code supports different keytabs which
>> is fine, but your verify call krb5_verify_init_creds uses NULL as
>> principal which means it requires a host/fqdn principal in the keytab to
>> which I don't want to give access to. I prefer to use another principal
>> like app1/fqdn which can be managed by the application support team. To
>> do so I need an option for pam_krb5 to select the principal or a way to
>> set GSS_C_NO_NAME.
>
>> Is that an unusual case ?
>
> Oh, right. Hm, how did I manage to not make a note of that? I remember
> this case and I talked myself into thinking that I'd already fixed it.
>
> Most of what you need is already there in the keytab option to use a
> different keytab, but pam-krb5 also has to provide an option to specify
> what principal to use. I was going to add that (it's not hard) but
> completely forgot.
>
> I'm fairly sure that you have to tell krb5_verify_init_creds what
> principal you're going to use; you can't just tell it to use whatever is
> in the keytab. I'm not sure why, though. It would be nice, if you pass
> in NULL, for it to just use whatever key it finds.
>
> Okay, I'm adding this to TODO right away this time so that I won't forget
> it and it will be in the next release. Sorry about that.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list