separate keytab for pam_krb5

Russ Allbery rra at
Sun Jan 22 00:12:09 EST 2012

Frank Cusack <frank at> writes:

> Your screensaver is improperly installed.  PAM applications must be
> setuid root, e.g. to read /etc/shadow or because of the problem you've
> described.

I think this is bad advice.  Protecting against the KDC impersonation
attack is a good idea, but not horribly vital in a lot of environments,
whereas making general applications setuid root is a serious security hole
waiting to happen.  I would never do this.  (And it's no longer necessary
for anything using pam_unix on most systems, since it uses a setuid helper

Most screen savers are not written for or audited against running setuid

Russ Allbery (rra at             <>

More information about the Kerberos mailing list