Markus Moeller <[EMAIL PROTECTED]> writes: > wouldn't it be better from a security perspective to change the default > of verify_ap_req_nofail. Right now if the keytab doesn not exist or the > verify fails the user can login. Can you enforce it in pam_krb5 and only > if verify_ap_req_nofail is set to no ignore the check ?
I believe this is properly left to the system administrator to decide what behavior they want and configure krb5.conf accordingly. The man page spells out the issues. The default behavior in MIT Kerberos is to skip the check if the keytab is missing or doesn't have the appropriate key, but *not* skip the check if the keytab is present and readable but the verification fails, which seems like a good compromise between security and ease of deployment to me. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
