separate keytab for pam_krb5

Russ Allbery rra at
Sun Jan 22 00:34:14 EST 2012

Frank Cusack <frank at> writes:

> They don't need to be.  The screen saver itself can be run in an
> unprivileged context.

Only with an internal architecture that screen savers often don't bother
to implement any more, since no one does this these days now that pam_unix
has a setuid helper.  So if you actualy make the screen saver setuid root,
you may end up with an unaudited program that doesn't know how to manage
its elevated security context.

Screen savers did indeed used to always work this way, with setuid
required, but since pam_unix added a setuid helper, all that's been
largely unwound, or at least left unmaintained.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list