BTW. You don't really need a keytab. Windows uses for example its own store and updates it regularly as part of the system trust key update.
Markus "Donn Cave" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > In article <[EMAIL PROTECTED]>, > Scott Lowe <[EMAIL PROTECTED]> wrote: >> On 2006-05-04 12:29:53 -0400, Donn Cave <[EMAIL PROTECTED]> said: > >> > True, though there is a sort of grey area inhabited by services >> > that use Kerberos to perform password authentication. This is >> > functionally like "kinit", but semantically quite different, and >> > without a service principal to validate the authentication results, >> > they're vulnerable. >> > >> > So depending on what `successfully authenticate' actually means here, >> > the information and instructions that say to get a service principal >> > and a keytab may be worth listening to, even if the service appears >> > to work without it. > >> I suppose if I were seeking to use a fully Kerberized server >> application that accept Kerberos tickets from Kerberos clients, then a >> keytab would be necessary. In this instance, the service does not >> accept Kerberos authentication from connecting systems, but acts a >> Kerberos client on the back-end to perform authentication (using PAM). >> It seems to make sense, then, that a keytab would not be necessary. At >> least, not in this situation. > > I guess it depends on what you mean by "necessary", but if there's > any reasonable possibility that you could create a host service > principal and install that keytab, I would do it. If you have > reason to believe that the PAM authentication isn't actually using > the keytab, I would find out why and try to get it fixed. Without > it, you're vulnerable. Of course everything's relative, and the > authorization you're providing with this authentication may not > warrant the concern, but that's different than thinking it isn't > necessary in the sense that there is no use for it, which would be > an error. > > Donn Cave, [EMAIL PROTECTED] > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
