[28453] in Kerberos
Re: pam-krb5 3.6 released
daemon@ATHENA.MIT.EDU (Markus Moeller)
Fri Sep 21 15:55:46 2007
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Fri, 21 Sep 2007 20:54:59 +0100
Message-ID: <fd17ip$4vn$1@sea.gmane.org>
X-Complaints-To: usenet@sea.gmane.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thank you
Markus
"Russ Allbery" <rra@stanford.edu> wrote in message
news:87bqbyjm1i.fsf@windlord.stanford.edu...
> "Markus Moeller" <huaraz@moeller.plus.com> writes:
>
>> I have a case were an application uses pam calls to authenticate users
>> (selected by a seperate pam.conf line or pam.d/appl file). This
>> application will be maintained by an application support group which
>> generally does not need root access and the application itself runs also
>> as non root to avoid more serious system compromises. To make sure that
>> I the server talks to the right kdc I'd like to verify the ticket
>> against a keytab. As you say your code supports different keytabs which
>> is fine, but your verify call krb5_verify_init_creds uses NULL as
>> principal which means it requires a host/fqdn principal in the keytab to
>> which I don't want to give access to. I prefer to use another principal
>> like app1/fqdn which can be managed by the application support team. To
>> do so I need an option for pam_krb5 to select the principal or a way to
>> set GSS_C_NO_NAME.
>
>> Is that an unusual case ?
>
> Oh, right. Hm, how did I manage to not make a note of that? I remember
> this case and I talked myself into thinking that I'd already fixed it.
>
> Most of what you need is already there in the keytab option to use a
> different keytab, but pam-krb5 also has to provide an option to specify
> what principal to use. I was going to add that (it's not hard) but
> completely forgot.
>
> I'm fairly sure that you have to tell krb5_verify_init_creds what
> principal you're going to use; you can't just tell it to use whatever is
> in the keytab. I'm not sure why, though. It would be nice, if you pass
> in NULL, for it to just use whatever key it finds.
>
> Okay, I'm adding this to TODO right away this time so that I won't forget
> it and it will be in the next release. Sorry about that.
>
> --
> Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos