>>>>> "Brian" == Brian Davidson <[EMAIL PROTECTED]> writes:
Brian> Interesting. I've used libpam-krb5 on a system which did
Brian> not have a local host key, and it still worked for
Brian> authentication. Granted, it's not mutual-authentication,
Brian> but if the KDC which responded is the real KDC, obtaining a
Brian> TGT should be sufficient.
Most implementation of libpam-krb5 run in two modes. In the first
mode, they try to get credentials for the user being logged in. IN
this mode, no verification happens, and the module is only a
convenience--running kinit to get tickets. In the second mode,
verification is required and the module actually provides
authentication.
Many implementations of libpam-krb5 use the existence of a host key to
determine which mode to run in.
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
