[27877] in Kerberos
Re: pam-krb5 3.5 released
daemon@ATHENA.MIT.EDU (Markus Moeller)
Mon Jun 4 03:44:59 2007
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Mon, 4 Jun 2007 08:43:40 +0100
Message-ID: <f40fri$9e3$1@sea.gmane.org>
X-Complaints-To: usenet@sea.gmane.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ,
wouldn't it be better from a security perspective to change the default of
verify_ap_req_nofail. Right now if the keytab doesn not exist or the verify
fails the user can login. Can you enforce it in pam_krb5 and only if
verify_ap_req_nofail is set to no ignore the check ?
Thank you
Markus
"Russ Allbery" <rra@stanford.edu> wrote in message
news:871wgtaszp.fsf@windlord.stanford.edu...
> Markus Moeller <huaraz@moeller.plus.com> writes:
>> "Russ Allbery" <rra@stanford.edu> wrote:
>
>>> Oh, bleh. Yeah, I misread that code; I thought it was doing something
>>> smarter. Okay, added to the to-do list. It shouldn't be too
>>> difficult.
>
>> The ideal would be to use something similar to GSS_C_NO_NAME (as you I
>> think intended). so that any keytab entry could be used.
>
> Yes. Unless I'm missing something, it seems like krb5_verify_init_creds
> could use any key in the keytab (well, provided that there isn't another
> key for the same principal with a later kvno) if no particular principal
> is specified. This would fail in cases where people have old keys in the
> keytab that no longer work, and it might fail in some interesting
> cross-realm cases with keys for other realms in the keytab, but I'd think
> those cases would be the ones where people could specify what principal to
> use for verification. And one could do something like iterating through
> the keytab and trying each key, I suppose.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
