Cross Realm Auth problems

Douglas E. Engert deengert at anl.gov
Fri Feb 20 11:01:08 EST 2009 


jim.sifferle at tektronix.com wrote:
> deengert at anl.gov wrote: 
> 
>> What version of pam_krb5 are you using?
>> It may or may not accept a principal in place of a name. Some
>> versions of pam_krb5 can add an additional prompt to
>> prompt for the principal, so that the local user name does noit
>> have to match the principal, and can be fro a different realm.
> 
>> Russ's version has the above feature and is in Debian:
>>      <http://www.eyrie.org/~eagle/software/pam-krb5/>
> 
> I'm using the default pam_krb5 that comes with CentOS 5.2... 2.2.14.  I take it that I will need to update to 3.13 to get this added feature to prompt for principal?  I'll have to hunt for a RHEL/CentOS compatible RPM or build one myself.
> 
Not sure what the 2.2.14 version does. There are a number of
pam_krb5 modules available with different code linages.
The one I sited is used with Debian, and has the feature to
prompting.


>> You also did not say if you created a host keytab and registered
>> the host in AD. pam_krb5 will try and get a service ticket
>> for the loccal host.
> 
> I did not create a keytab, nor have I registered the host in AD.  I was under the impression that I didn't need to unless I wanted to use other features such as password changes.  The use case I'm dealing with doesn't require this feature.  Am I incorrect in saying I don't need a keytab or to add the client host to AD in this case?
> 

The login pam_krb5 get a service ticket for the host, to double check that
the machine is talking to the real KDC. Without this, an attacker
could attach a machine to his own network, with his own bogus KDC
and login as any valid user, as his password would match whats in his bogus KDC.

This test can be turned off with some pam_krb5 version. Look for the verify_*
in the man pages. It depends on the pam_krb5.


> Thanks for your help,
> 
> Jim
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list