Markus Moeller <[EMAIL PROTECTED]> writes: > 1) The application runs as non root and I'd like to use the keytab check > to verify that it came from the right kdc. At the moment your code > allows to change the keytab file itself but not the service. It always > looks for the host principal. Can you add an option to change this to > another principal so I can keep the system keytab only accessible by > root.
I'm pretty sure this is not the case. The PAM module just calls krb5_verify_init_creds, and at least in the MIT implementation, it uses whatever key it can find in the keytab to do the verification. It doesn't have to use a host key. > 2) Since the application doesn't need to check the existence of the user > on the OS can you add an option to not use the OS user check with > getpwnam ( as you mention in the code it means pam_setcred and > pam_open_session don't work, but that would not be needed anyway) ? I > would need only the auth and account feature of pam. The module only calls getpwnam for session-related functions and to find the user's .k5login file, and has fallback logic for the latter, so as near as I can tell, this feature is already implemented. What specific problems are you having? -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
