https://bugs.kde.org/show_bug.cgi?id=481019
Pierre <pierre.sau...@stwm.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REPORTED
Resolution|NOT A BUG |---
--- Comment #8 from Pierre <pierre.sau...@stwm.de> ---
At what point did I indicate that I just reused the old system? This is a
rather rude insinuation, and I don't understand your tone.
Of course I set up a completely new system, with sources only from Ubuntu
25.04. That was the purpose of the exercise.
Can you demonstrate that pam_krb5 is working? It did work pre 5.27.10, and does
not work now. I could understand "WONTFIX", if you deem it not important to
support other pam modules than pam_unix, but "NOT A BUG" is clearly not.
Let me cite the manpage
(https://manpages.ubuntu.com/manpages/trusty/man5/pam_krb5.5.html):
"After doing the initial authentication, the Kerberos PAM module will attempt
to obtain tickets for a
key in the local system keytab and then verify those tickets.
Unless this step is performed, the
authentication is vulnerable to KDC spoofing, but it requires that
the system have a local key and
that the PAM module be running as a user that can read the keytab
file (normally /etc/krb5.keytab.
You can point the Kerberos PAM module at a different keytab with the
keytab option. If that keytab
cannot be read or if no keys are found in it, the default
(potentially insecure) behavior is to skip
this check. If you want to instead fail authentication if the
obtained tickets cannot be checked,
set "verify_ap_req_nofail" to true in the [libdefaults] section of
/etc/krb5.conf. Note that this
will affect applications other than this PAM module."
You dropped the setuid binary, so this is a regression.
--
You are receiving this mail because:
You are watching all bug changes.
