question about krb5_verify_init_creds() and verify_ap_req_nofail

Sam Hartman hartmans at MIT.EDU
Tue Jan 11 18:51:18 EST 2011

>>>>> "Will" == Will Fiveash <will.fiveash at> writes:

    Will> On Tue, Jan 11, 2011 at 04:20:45PM -0500, Sam Hartman wrote:
    >> Really?  I't expect krb5_kt_default() to succeed if the keytab
    >> does not exist.

    Will> My bad, you are correct that krb5_kt_default() will succeed
    Will> without a keytab existing.

    Will> Still, why try checking the keytab if verify_ap_req_nofail is
    Will> set to false?

[I'm not sure why setting nofail to true causes the code to fail; I'd
expect nofail = true would decrease failures.]

This is the designed behavior of the code.  The reason that verify_creds
does not always fail is that some machines are not keyed.  To provide a
secure environment, you want the ability to assert that all your
machines will be keyed in a configuration file.

However, if a key is present, it provides better security (and defense
against an important attack) to use it.  If the key is bogus, the
administrator should delete it.

We could create a option to ignore the keytab in this case, although I'd
call that option
Given those semantics I don't support actually creating that option.


More information about the krbdev mailing list