[Freeipa-devel] Question about pam_krb5 and FreeIPA
W. Michael Petullo
mike at flyn.org
Mon Mar 24 08:49:31 UTC 2008
>> Unlike Apache, pam_krb5 does not seem to require a service key. My
>> understanding is that the service key is used to ensure that the Kerberos
>> server is not being spoofed. Could anyone explain why pam_krb5 does not
>> seem to require a service key? Is this optional?
> Generally, yes, you want to validate against a local key.
>
> More often, though, there is no such key available, so the module uses a
> local key it if it can read the configured keytab file, and otherwise it
> can only hope that the local administrators know what they're doing.
I've submitted a patch to pam_krb5,
https://bugzilla.redhat.com/show_bug.cgi?id=436747.
This patch allows pam_krb5 to use a SUID helper application to validate
credentials using a keytab, even when the application itself is not
running as root (e.g., xscreensaver).
--
Mike
:wq
More information about the Freeipa-devel
mailing list