Quoting Sam Hartman <[EMAIL PROTECTED]>: >>>>>> "Turbo" == Turbo Fredriksson <[EMAIL PROTECTED]> writes: > > > Turbo> Since I've separated AUTHENTICATION and AUTHORIZATION, > Turbo> there's no need for an LDAP/slapd keytab... > > Then you have a security hole. > > Take a look at the following text from section 10 of RFc 4120: > > Proper decryption of an KRB_AS_REP message from the KDC is not > sufficient for the host to verify the identity of the user; the user > and an attacker could cooperate to generate a KRB_AS_REP format > message that decrypts properly but is not from the proper KDC. To > authenticate a user logging on to a local system, the credentials > obtained in the AS exchange may first be used in a TGS exchange to > obtain credentials for a local server. Those credentials must then > be verified by a local server through successful completion of the > Client/Server exchange. > > In particular just doing a kinit does not actually verify that the > password is correct; it simply verifies the passwords typed at the > command line and used by the server claiming to be the KDC are the > same. You need a keytab to confirm the KDC is really a KDC.
Eh... What? From what I know, slapd don't have any means of specifying a keytab so even if you create one, slapd won't use it... It knows what a srvtab is, but that's for Kerberos IV... I don't have a clue what you're talking about, but you made me worried :) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
