Sam Hartman <[EMAIL PROTECTED]> writes: > I wonder if krb5 should provide a setuid helper to do rd_req so that > your keytab can be much more tightly controlled than your service?
That would certainly make me happier than having to ship one with pam-krb5. It's a fairly straightforward helper program, I think, although there's the question of what keytab it should use for verification and how that can be configured. It would be spectacularly cool if krb5_verify_init_creds just Did The Right Thing in such a way that applications didn't have to be aware of the existence of the helper program. And you could use krb5_verify_init_creds_opt_set_* functions as the way of communicating the application desires (although there probably has to be a separate configuration of what the program is willing to do). -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
