Russ Allbery <r...@debian.org> writes: > Petter Reinholdtsen <p...@hungry.com> writes:
>> Please add forwardable as a argument to the pam module in the default >> pam-auth-config setup. It is useful when using libpam-krb5 with >> Active Directory and want to have single sign-on for other services on >> the local net. > I'm hesitant to do this because the decision of whether tickets should > be forwardable is properly a site configuration decision based on > whether one wants to take the risk that users will forward tickets to > inappropriate hosts (via typos or the like). There's an inherent > security risk in forwardable tickets. > Sites that want to take that risk will generally want to just add > forwardable = true > to the [libdefaults] section of krb5.conf, which will affect all methods > of obtaining Kerberos tickets, including libpam-krb5. The forwardable > option in pam-krb5 is primarily for cases where you want some tickets to > be forwardable but not all, based on how the user authenticates. Hi Petter, You'd filed this bug against libpam-krb5 almost two years ago, and it's been sticking around marked wontfix following my response, but I don't think there was any subsequent discussion. I was thinking about closing it, but wanted to ping you before I did so to see if you wanted to keep it open or if you had anything else about it that you wanted to discuss. Should I go ahead and close it? -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
