Russ, wouldn't it be better from a security perspective to change the default of verify_ap_req_nofail. Right now if the keytab doesn not exist or the verify fails the user can login. Can you enforce it in pam_krb5 and only if verify_ap_req_nofail is set to no ignore the check ?
Thank you Markus "Russ Allbery" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Markus Moeller <[EMAIL PROTECTED]> writes: >> "Russ Allbery" <[EMAIL PROTECTED]> wrote: > >>> Oh, bleh. Yeah, I misread that code; I thought it was doing something >>> smarter. Okay, added to the to-do list. It shouldn't be too >>> difficult. > >> The ideal would be to use something similar to GSS_C_NO_NAME (as you I >> think intended). so that any keytab entry could be used. > > Yes. Unless I'm missing something, it seems like krb5_verify_init_creds > could use any key in the keytab (well, provided that there isn't another > key for the same principal with a later kvno) if no particular principal > is specified. This would fail in cases where people have old keys in the > keytab that no longer work, and it might fail in some interesting > cross-realm cases with keys for other realms in the keytab, but I'd think > those cases would be the ones where people could specify what principal to > use for verification. And one could do something like iterating through > the keytab and trying each key, I suppose. > > -- > Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
