question about krb5_verify_init_creds() and verify_ap_req_nofail
ghudson at MIT.EDU
Sat Jan 15 19:40:51 EST 2011
On Fri, 2011-01-14 at 16:21 -0500, Will Fiveash wrote:
> If that is true, shouldn't the
> MIT default be more restrictive and require and admin to explictly set
> verify_ap_req_nofail to false in krb5.conf if they are less concerned
> about KDC spoofing?
Perhaps if we were designing the feature today. But if we were to
change the default in, say, 1.10, that would play havoc on sites using
pam_krb5 on unkeyed systems.
More information about the krbdev