[28440] in Kerberos

home help back first fref pref prev next nref lref last post

Re: pam-krb5 3.6 released

daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Sep 19 17:36:57 2007

From: Sam Hartman <hartmans@mit.edu>
To: Russ Allbery <rra@stanford.edu>
Date: Wed, 19 Sep 2007 17:36:35 -0400
In-Reply-To: <87odfypevy.fsf@windlord.stanford.edu> (Russ Allbery's message of
	"Wed, 19 Sep 2007 13:41:05 -0700")
Message-ID: <tslmyvil4m4.fsf@mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

>>>>> "Russ" == Russ Allbery <rra@stanford.edu> writes:

    Russ> Sam Hartman <hartmans@mit.edu> writes:
    >> I think that's a mischaracterization of the problem.  You need
    >> this whenever you have a service that needs to verify passwords
    >> but that cannot be trusted with a Kerberos key of its own.  It
    >> seems like that's going to be much more common than just
    >> xscreensaver.

    Russ> True, although xscreensaver is the only practical case that
    Russ> I've heard about so far.  But I believe you that there are
    Russ> probably more.

I wonder if krb5 should provide a setuid helper to do rd_req so that your keytab can be much more tightly controlled than your service?

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post