separate keytab for pam_krb5

Mantas M. grawity at
Sun Jan 22 09:52:46 EST 2012

On 2012-01-21 22:44, Russ Allbery wrote:
> The right solution to the problem is to have a local oracle that the PAM
> module can authenticate to and which will tell the PAM module whether the
> credentials are valid.  That oracle can then run in a separate security
> context as root and have access to the keytab.  I plan on adding such
> functionality to my PAM module once I find some time, but I haven't gotten
> a chance to work on it yet.  (I want to have a daemon that listens on a
> UNIX domain socket.  It would be somewhat simpler to provide a setuid
> helper program, but I think that's a much higher security risk.)

AFAIK, Fedora's `sssd` contains similar functionality -- the PAM and NSS
modules only contact a daemon running as root.

(Please excuse duplicate messages; I had forgotten again about the
"Reply to List" command...)

Mantas M.

More information about the Kerberos mailing list