Re: Presence/absence of the keytab

Fri, 05 May 2006 22:40:31 -0700 

"Richard E. Silverman" <[EMAIL PROTECTED]> and others wrote:
> Subject: Re: Presence/absence of the keytab
> References: <[EMAIL PROTECTED]>
>       <[EMAIL PROTECTED]>
>       <[EMAIL PROTECTED]>
>       <[EMAIL PROTECTED]>
>       <[EMAIL PROTECTED]>
>       <[EMAIL PROTECTED]>
> From: "Richard E. Silverman" <[EMAIL PROTECTED]>
> Date: 06 May 2006 00:14:58 -0400
> Message-ID: <[EMAIL PROTECTED]>
> To: kerberos@mit.edu
> 
> >>>>> "SL" == Scott Lowe <[EMAIL PROTECTED]> writes:
> 
>     SL> I was just a bit caught off-guard by the fact that the
>     SL> authentication (again, via pam_krb5) worked even when the keytab
>     SL> was not installed.
> 
> pam_krb5 verifies your password against Kerberos, right?  In that case,
> there *should* be a keytab, due to the issue alluded to earlier in this
> thread: the module should obtain a host ticket to defend against a KDC
> spoofing attack.  If it let you in without that, perhaps there's a "verify
> KDC" option that's turned off (and ideally, should be turned on).
> 
> -- 
>   Richard Silverman
>   [EMAIL PROTECTED]
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

There's 2 easy ways pam_krb5 could use a host ticket to defend
against a host spoof attack.  It could contain logic to explicitly
get a host ticket.  Typically there will be calls to routines like
        krb5_kt_read_service_key
        krb5_mk_req
        krb5_rd_req
Or it could be using the kerberos 5 library call krb5_verify_init_creds()
to do the same thing.  In the latter case there is in fact an option to
control what happens when the keytab is missing.  There are two ways to
invoke this:
        /1/ compile-time configuration: add logic:
                add variable, type: krb5_verify_init_creds_opt
                initialize with
                        krb5_verify_init_creds_opt_init
                use krb5_verify_init_creds_opt_set_ap_req_nofail
                        to set KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.
                pass as last parm to krb5_verify_init_creds

        /2/ run-time configuration:
                add [libdefaults]
                        verify_ap_req_nofail = TRUE
                to krb5.conf

At a quick glance, the "libpam-krb5 1.2.0" that comes with debian linux
does the former - hardcoded logic.  Doesn't seem to be any way to
make it give up if no keytab is present, but there is a debug option
that will cause it to log helpful text when various errors occur,
including no keytab.

                                -Marcus Watts
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to