Thank you Markus "Russ Allbery" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > "Markus Moeller" <[EMAIL PROTECTED]> writes: > >> I have a case were an application uses pam calls to authenticate users >> (selected by a seperate pam.conf line or pam.d/appl file). This >> application will be maintained by an application support group which >> generally does not need root access and the application itself runs also >> as non root to avoid more serious system compromises. To make sure that >> I the server talks to the right kdc I'd like to verify the ticket >> against a keytab. As you say your code supports different keytabs which >> is fine, but your verify call krb5_verify_init_creds uses NULL as >> principal which means it requires a host/fqdn principal in the keytab to >> which I don't want to give access to. I prefer to use another principal >> like app1/fqdn which can be managed by the application support team. To >> do so I need an option for pam_krb5 to select the principal or a way to >> set GSS_C_NO_NAME. > >> Is that an unusual case ? > > Oh, right. Hm, how did I manage to not make a note of that? I remember > this case and I talked myself into thinking that I'd already fixed it. > > Most of what you need is already there in the keytab option to use a > different keytab, but pam-krb5 also has to provide an option to specify > what principal to use. I was going to add that (it's not hard) but > completely forgot. > > I'm fairly sure that you have to tell krb5_verify_init_creds what > principal you're going to use; you can't just tell it to use whatever is > in the keytab. I'm not sure why, though. It would be nice, if you pass > in NULL, for it to just use whatever key it finds. > > Okay, I'm adding this to TODO right away this time so that I won't forget > it and it will be in the next release. Sorry about that. > > -- > Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos >
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
