Re: pam-krb5 3.5 released

Mon, 04 Jun 2007 11:40:26 -0700 

"Russ Allbery" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
> Markus Moeller <[EMAIL PROTECTED]> writes:
>
>> wouldn't it be better from a security perspective to change the default
>> of verify_ap_req_nofail. Right now if the keytab doesn not exist or the
>> verify fails the user can login. Can you enforce it in pam_krb5 and only
>> if verify_ap_req_nofail is set to no ignore the check ?
>
> I believe this is properly left to the system administrator to decide what
> behavior they want and configure krb5.conf accordingly.  The man page
> spells out the issues.  The default behavior in MIT Kerberos is to skip
> the check if the keytab is missing or doesn't have the appropriate key,
> but *not* skip the check if the keytab is present and readable but the
> verification fails, which seems like a good compromise between security
> and ease of deployment to me.
>

Is this different in Opensolaris ? It states if undefined it is set to true. 
I guess that is
what I have to set then always in krb5.conf.

    verify_ap_req_nofail [true | false]

SunOS 5.11          Last change: 30 Aug 2006                    6

File Formats                                         krb5.conf(4)

         If true, the local keytab  file  (/etc/krb5/krb5.keytab)
         must  contain an entry for the local host principal, for
         example, host/[EMAIL PROTECTED] This entry is  needed
         to  verify that the TGT requested was issued by the same
         KDC that issued the key for the host principal. If unde-
         fined,  the  behavior  is  as if this option were set to
         true. Setting this value  to  false  leaves  the  system
         vulnerable  to  DNS spoofing attacks. This parameter can
         be in the [realms] section to  set  it  on  a  per-realm
         basis, or it can be in the [libdefaults] section to make
         it a network-wide setting for all realms.


> -- 
> Russ Allbery ([EMAIL PROTECTED])             <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

Thanks
Markus 



________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to