question about krb5_verify_init_creds() and verify_ap_req_nofail

Greg Hudson ghudson at MIT.EDU
Sat Jan 15 19:40:51 EST 2011

On Fri, 2011-01-14 at 16:21 -0500, Will Fiveash wrote:
>   If that is true, shouldn't the
> MIT default be more restrictive and require and admin to explictly set
> verify_ap_req_nofail to false in krb5.conf if they are less concerned
> about KDC spoofing?

Perhaps if we were designing the feature today.  But if we were to
change the default in, say, 1.10, that would play havoc on sites using
pam_krb5 on unkeyed systems.

More information about the krbdev mailing list