[28441] in Kerberos
Re: pam-krb5 3.6 released
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Sep 19 17:45:15 2007
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <tslmyvil4m4.fsf@mit.edu> (Sam Hartman's message of "Wed, 19 Sep
2007 17:36:35 -0400")
Date: Wed, 19 Sep 2007 14:44:51 -0700
Message-ID: <87k5qmjpnw.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Sam Hartman <hartmans@mit.edu> writes:
> I wonder if krb5 should provide a setuid helper to do rd_req so that
> your keytab can be much more tightly controlled than your service?
That would certainly make me happier than having to ship one with
pam-krb5. It's a fairly straightforward helper program, I think, although
there's the question of what keytab it should use for verification and how
that can be configured.
It would be spectacularly cool if krb5_verify_init_creds just Did The
Right Thing in such a way that applications didn't have to be aware of the
existence of the helper program. And you could use
krb5_verify_init_creds_opt_set_* functions as the way of communicating the
application desires (although there probably has to be a separate
configuration of what the program is willing to do).
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos