separate keytab for pam_krb5

Frank Cusack frank at
Sun Jan 22 00:49:11 EST 2012

That's unfortunate, if the argument is that now you don't need to worry
about the security of the screen saver instance/module.  On systems that
use screensavers, ie generally single user desktops, compromising a user
account is just as devastating to the user as compromising the entire

On Saturday, January 21, 2012, Russ Allbery <rra at> wrote:
> Frank Cusack <frank at> writes:
>> They don't need to be.  The screen saver itself can be run in an
>> unprivileged context.
> Only with an internal architecture that screen savers often don't bother
> to implement any more, since no one does this these days now that pam_unix
> has a setuid helper.  So if you actualy make the screen saver setuid root,
> you may end up with an unaudited program that doesn't know how to manage
> its elevated security context.
> Screen savers did indeed used to always work this way, with setuid
> required, but since pam_unix added a setuid helper, all that's been
> largely unwound, or at least left unmaintained.
> --
> Russ Allbery (rra at             <>
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list