"Richard E. Silverman" <[EMAIL PROTECTED]> and others wrote: > Subject: Re: Presence/absence of the keytab > References: <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > From: "Richard E. Silverman" <[EMAIL PROTECTED]> > Date: 06 May 2006 00:14:58 -0400 > Message-ID: <[EMAIL PROTECTED]> > To: kerberos@mit.edu > > >>>>> "SL" == Scott Lowe <[EMAIL PROTECTED]> writes: > > SL> I was just a bit caught off-guard by the fact that the > SL> authentication (again, via pam_krb5) worked even when the keytab > SL> was not installed. > > pam_krb5 verifies your password against Kerberos, right? In that case, > there *should* be a keytab, due to the issue alluded to earlier in this > thread: the module should obtain a host ticket to defend against a KDC > spoofing attack. If it let you in without that, perhaps there's a "verify > KDC" option that's turned off (and ideally, should be turned on). > > -- > Richard Silverman > [EMAIL PROTECTED] > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos >
There's 2 easy ways pam_krb5 could use a host ticket to defend against a host spoof attack. It could contain logic to explicitly get a host ticket. Typically there will be calls to routines like krb5_kt_read_service_key krb5_mk_req krb5_rd_req Or it could be using the kerberos 5 library call krb5_verify_init_creds() to do the same thing. In the latter case there is in fact an option to control what happens when the keytab is missing. There are two ways to invoke this: /1/ compile-time configuration: add logic: add variable, type: krb5_verify_init_creds_opt initialize with krb5_verify_init_creds_opt_init use krb5_verify_init_creds_opt_set_ap_req_nofail to set KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL. pass as last parm to krb5_verify_init_creds /2/ run-time configuration: add [libdefaults] verify_ap_req_nofail = TRUE to krb5.conf At a quick glance, the "libpam-krb5 1.2.0" that comes with debian linux does the former - hardcoded logic. Doesn't seem to be any way to make it give up if no keytab is present, but there is a debug option that will cause it to log helpful text when various errors occur, including no keytab. -Marcus Watts ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos