Petter Reinholdtsen <[email protected]> writes:
> Please add forwardable as a argument to the pam module in the default
> pam-auth-config setup. It is useful when using libpam-krb5 with
> Active Directory and want to have single sign-on for other services on
> the local net.
I'm hesitant to do this because the decision of whether tickets should be
forwardable is properly a site configuration decision based on whether one
wants to take the risk that users will forward tickets to inappropriate
hosts (via typos or the like). There's an inherent security risk in
forwardable tickets.
Sites that want to take that risk will generally want to just add
forwardable = true
to the [libdefaults] section of krb5.conf, which will affect all methods
of obtaining Kerberos tickets, including libpam-krb5. The forwardable
option in pam-krb5 is primarily for cases where you want some tickets to
be forwardable but not all, based on how the user authenticates.
> I have not verified that this is needed in the latest version of
> libpam-krb5, but we did need to use it when using libpam-krb5 with AD in
> Etch. Reporting it here to increase the chance of having the
> configuration we need out of the box with Squeeze. :)
That's odd. I'm not sure why that would have chanced, since I don't
believe libpam-krb5 ever obtained forwardable tickets by default.
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
