Hi Mike, On Thu, Jul 02, 2015 at 09:05:52AM +0000, Mike Gabriel wrote: > Hi Guido, > > On Mi 01 Jul 2015 09:05:36 CEST, Guido Günther wrote: > > >On Tue, Jun 30, 2015 at 09:14:14PM +0000, Mike Gabriel wrote: > >>Hi Guido, > >> > >>I just saw that you are co-maintainer of pykerberos. I realized after I had > >>already put my name behind the package name in dla-needed.txt. > >> > >>As you are also on the LTS team, do you want to continue with uploading the > >>package? Or shall I see to the upload and DLA? Maybe you just want to take a > >>quick look and let me proceed. Please let me know your preferences here. > > > >Go ahead, you've done most of the work already. I had a look at the code > >on github when triaging the bug and it looked correct then but can > >break existing applications if we leave the default of verify == True > >(as noted in the CVE list). > > > >Cheers, > > -- Guido > > I have played and tested the new "verify" option in checkPassword() just now. > > It will break things in mostly all setups if verify=True is the default. > > Reasons: > > o if /etc/krb5.keytab (or what ever $KRB5_KTNAME points to) is missing, > then an authentication attempt against Kerberos will fail. > o NEW: if /etc/krb5.keytab (or $KRB5_KTNAME) is not readable by a user, > then a login attempt will end in "Permission denied". As the most common > case is that /etc/krb5.keytab is set to 0600, authentications will always > fail with verify=True.
Yeah, that's basically what I meant by "break existing applications" but you describe better in far more detail. I'd go for false by default too. We should also add a note which explains principal to add to /etc/krb5.keytab to get verify=True working. Cheers, -- Guido -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
