Brian Davidson wrote: > > > Now that you mention it, I do see the potential danger of a spoofed > KDC... host keys still aren't _required_ by libpam-krb5, as far as I > know. Am I missing something?
No - you're not missing anything. In the least, redhat's pam_krb5 doesnt do this check. >From /usr/share/doc/pam_krb5 on redhat 9: "The new TGT is validated using a copy of the key for the local workstation's host service if it is found in the local keytab file." So, only if the keytab exists, the check is done. I think you also need 'validate=true' for this check to be done. You should check exactly how your pam_krb5 implementation reacts under these circumstances. Regards, P. __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
