RX Kerberos 5 security class requirements of Kerberos library

Nicolas Williams Nicolas.Williams at sun.com
Wed Jan 3 12:23:30 EST 2007

On Wed, Jan 03, 2007 at 12:00:53PM -0500, Jeffrey Altman wrote:
> Nicolas Williams wrote:
> > Well, no, I'm saying that for localauth AFS should use OS facilities,
> > not Kerberos or any other security mechanism.  And I'm saying that a
> > Kerberos-based PSK mechanism should be more general if there will be one
> > at all.
> >
> >> We can enforce the localauth case by how the client keytab is used.
> >
> > ?
> >
> The API will check that there exists a client keytab entry for the
> specified client principal.

But the API can't check that the key is correct without a trip to the

> This way the function can only be used for localauth and cannot be used
> to specify an
> arbitrary client name to the service whose key is in the service keytab.

Sorry, I find this lame.  And I still have yet to hear what is so wrong
with using OS facilities for local auth.

More information about the krbdev mailing list