[27873] in Kerberos
Re: pam-krb5 3.5 released
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Sun Jun 3 15:08:26 2007
In-Reply-To: <871wgtaszp.fsf@windlord.stanford.edu>
Mime-Version: 1.0 (Apple Message framework v752.2)
Message-Id: <C7A89225-85E8-4A58-80F5-4DF30A538928@mit.edu>
From: Ken Raeburn <raeburn@mit.edu>
Date: Sun, 3 Jun 2007 15:07:51 -0400
To: Russ Allbery <rra@stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Jun 3, 2007, at 12:43, Russ Allbery wrote:
> Yes. Unless I'm missing something, it seems like
> krb5_verify_init_creds
> could use any key in the keytab (well, provided that there isn't
> another
> key for the same principal with a later kvno) if no particular
> principal
> is specified.
At least around MIT, a single key file is often used as the
distribution mechanism for all the keys to be used on a host,
regardless of whether each service runs as root or not. Obviously
keys for non-root services would have to be copied out, but that
doesn't mean that the default keytab file won't still have copies of
keys available to anyone who compromises a non-root service. So a
facility run as root should probably prefer keys most likely to be
accessible only to root, namely, the host key.
Since most uses of verify_init_creds are probably for actual login
access, I think the current behavior is probably the right default.
If no host key is present, then maybe using another key makes sense.
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
