Peter Palfrader <[EMAIL PROTECTED]> writes: > On second thought, it wouldn't help at all. If everyone can read the > keytab then everyone can create tickets for it, right?
Oh, hm. Yes, you're right, this only helps for the case of a system service that isn't running as root but is still running as its own distinguished identity. It doesn't help for the general xscreensaver case. (Or rather, it helps *some*, in that the attacker would have to already have access to the system before they could forge KDC replies successfully for that system, but once they have access to the system, they could potentially gain access to other accounts.) I'll have to think about this some more. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
