[27861] in Kerberos
Re: pam-krb5 3.5 released
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Jun 1 15:55:54 2007
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <03a401c7a47e$52994740$0801a8c0@home> (Markus Moeller's message
of "Fri, 1 Jun 2007 19:54:41 +0100")
Date: Fri, 01 Jun 2007 12:55:29 -0700
Message-ID: <87d50f1mby.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Markus Moeller <huaraz@moeller.plus.com> writes:
> 1) The application runs as non root and I'd like to use the keytab check
> to verify that it came from the right kdc. At the moment your code
> allows to change the keytab file itself but not the service. It always
> looks for the host principal. Can you add an option to change this to
> another principal so I can keep the system keytab only accessible by
> root.
I'm pretty sure this is not the case. The PAM module just calls
krb5_verify_init_creds, and at least in the MIT implementation, it uses
whatever key it can find in the keytab to do the verification. It doesn't
have to use a host key.
> 2) Since the application doesn't need to check the existence of the user
> on the OS can you add an option to not use the OS user check with
> getpwnam ( as you mention in the code it means pam_setcred and
> pam_open_session don't work, but that would not be needed anyway) ? I
> would need only the auth and account feature of pam.
The module only calls getpwnam for session-related functions and to find
the user's .k5login file, and has fallback logic for the latter, so as
near as I can tell, this feature is already implemented. What specific
problems are you having?
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
