separate keytab for pam_krb5

Frank Cusack frank at
Sat Jan 21 17:47:45 EST 2012

On Sat, Jan 21, 2012 at 11:46 AM, Stefan Skoglund
<Stefan.Skoglund at>wrote:

> I had a bit of problems unlocking the X session and after reading
> other people description of the same symptom i did find the trigger for
> it in my /etc/krb5.conf:
> ---
> verify_ap_req_nofail = true
> ---
> I dropped it and things started to 'work' again.
> This is of course unsatisfactory and so i now wonder:
> pam_krb5 can use an separate keytab when authenticating and if i
> understands it properly that keytab should contain the 'host/...'
> principal for the local host and the keytab needs to be readable by all
> authenticated local users.
> What is the security implications of this ?

Unacceptable, of course.  It means that any local user can authenticate as
any other local user.

This is of course caused by the fact that the session unlock is done by
> the normal user which can't read the system's keytab.

Your screensaver is improperly installed.  PAM applications must be setuid
root, e.g. to read /etc/shadow or because of the problem you've described.

More information about the Kerberos mailing list