pam-krb5 4.5 released

Stephen Frost sfrost at snowman.net
Sun Feb 12 15:22:40 EST 2012


Greg,

* Greg Hudson (ghudson at MIT.EDU) wrote:
> I can think of several things to worry about with that:

Thanks for your thoughts!

It strikes me that the KDC has all the pieces needed to make the
decision.  The only question is if the right parts have the necessary
information to check.  My gut feeling is that the SAM2 module should be
able to tell if FAST is being used and, if not, refuse to allow progress
to go forward.  This would have to be configurable on the KDC side, of
course, but I think it would address the concerns you raised.

I've not looked at any of the code associated with this yet, but I plan
to do so over the next few days to see if my suggestion above can be
implemented.

Regarding configuration management and trusting the securID
implementation- those are certainly valid concerns and should be
documented.  I'm confident in our securID implementation (which includes
both long PINs and long token values) and feel we can manage the
configuration pieces (particularly ensuring that we only set 'simple'
passwords on princs which have require_hwauth set; perhaps we could set
a policy of some kind associated with that..).

	Thanks again!

		Stephen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20120212/176e155f/attachment.bin


More information about the Kerberos mailing list