separate keytab for pam_krb5
Russ Allbery
rra at stanford.edu
Sun Jan 22 00:12:09 EST 2012
Frank Cusack <frank at linetwo.net> writes:
> Your screensaver is improperly installed. PAM applications must be
> setuid root, e.g. to read /etc/shadow or because of the problem you've
> described.
I think this is bad advice. Protecting against the KDC impersonation
attack is a good idea, but not horribly vital in a lot of environments,
whereas making general applications setuid root is a serious security hole
waiting to happen. I would never do this. (And it's no longer necessary
for anything using pam_unix on most systems, since it uses a setuid helper
program.)
Most screen savers are not written for or audited against running setuid
root.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list