separate keytab for pam_krb5

Stefan Skoglund Stefan.Skoglund at
Sat Jan 21 14:46:01 EST 2012

I had a bit of problems unlocking the X session and after reading
other people description of the same symptom i did find the trigger for
it in my /etc/krb5.conf:
verify_ap_req_nofail = true

I dropped it and things started to 'work' again.

This is of course unsatisfactory and so i now wonder:
pam_krb5 can use an separate keytab when authenticating and if i
understands it properly that keytab should contain the 'host/...'
principal for the local host and the keytab needs to be readable by all
authenticated local users.

What is the security implications of this ?

This is of course caused by the fact that the session unlock is done by
the normal user which can't read the system's keytab.

More information about the Kerberos mailing list