On Thursday, August 28, 2003, at 03:54 PM, Sam Hartman wrote:
Brian> libpam-krb5 attempts to obtain a TGT from your KDC. Brian> Successfully obtaining a TGT means you are authenticated.
Actually, no, you need to verify this TGT against some known service principal like the local host key.
Successfully obtaining a TGT only implies authentication if the user and a spoofed KDC aren't cooperating.
Interesting. I've used libpam-krb5 on a system which did not have a local host key, and it still worked for authentication. Granted, it's not mutual-authentication, but if the KDC which responded is the real KDC, obtaining a TGT should be sufficient.
Now that you mention it, I do see the potential danger of a spoofed KDC... host keys still aren't _required_ by libpam-krb5, as far as I know. Am I missing something?
Brian
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
