separate keytab for pam_krb5
frank at linetwo.net
Sat Jan 21 17:47:45 EST 2012
On Sat, Jan 21, 2012 at 11:46 AM, Stefan Skoglund
<Stefan.Skoglund at agj.net>wrote:
> I had a bit of problems unlocking the X session and after reading
> other people description of the same symptom i did find the trigger for
> it in my /etc/krb5.conf:
> verify_ap_req_nofail = true
> I dropped it and things started to 'work' again.
> This is of course unsatisfactory and so i now wonder:
> pam_krb5 can use an separate keytab when authenticating and if i
> understands it properly that keytab should contain the 'host/...'
> principal for the local host and the keytab needs to be readable by all
> authenticated local users.
> What is the security implications of this ?
Unacceptable, of course. It means that any local user can authenticate as
any other local user.
This is of course caused by the fact that the session unlock is done by
> the normal user which can't read the system's keytab.
Your screensaver is improperly installed. PAM applications must be setuid
root, e.g. to read /etc/shadow or because of the problem you've described.
More information about the Kerberos