[27881] in Kerberos
Re: pam-krb5 3.5 released
daemon@ATHENA.MIT.EDU (Markus Moeller)
Mon Jun 4 14:37:21 2007
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Mon, 4 Jun 2007 19:36:20 +0100
Message-ID: <f41m3f$oa3$1@sea.gmane.org>
X-Complaints-To: usenet@sea.gmane.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Russ Allbery" <rra@stanford.edu> wrote in message
news:87ps4by6s0.fsf@windlord.stanford.edu...
> Markus Moeller <huaraz@moeller.plus.com> writes:
>
>> wouldn't it be better from a security perspective to change the default
>> of verify_ap_req_nofail. Right now if the keytab doesn not exist or the
>> verify fails the user can login. Can you enforce it in pam_krb5 and only
>> if verify_ap_req_nofail is set to no ignore the check ?
>
> I believe this is properly left to the system administrator to decide what
> behavior they want and configure krb5.conf accordingly. The man page
> spells out the issues. The default behavior in MIT Kerberos is to skip
> the check if the keytab is missing or doesn't have the appropriate key,
> but *not* skip the check if the keytab is present and readable but the
> verification fails, which seems like a good compromise between security
> and ease of deployment to me.
>
Is this different in Opensolaris ? It states if undefined it is set to true.
I guess that is
what I have to set then always in krb5.conf.
verify_ap_req_nofail [true | false]
SunOS 5.11 Last change: 30 Aug 2006 6
File Formats krb5.conf(4)
If true, the local keytab file (/etc/krb5/krb5.keytab)
must contain an entry for the local host principal, for
example, host/foo.bar.com@FOO.COM. This entry is needed
to verify that the TGT requested was issued by the same
KDC that issued the key for the host principal. If unde-
fined, the behavior is as if this option were set to
true. Setting this value to false leaves the system
vulnerable to DNS spoofing attacks. This parameter can
be in the [realms] section to set it on a per-realm
basis, or it can be in the [libdefaults] section to make
it a network-wide setting for all realms.
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Thanks
Markus
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
