On 2006-05-08 13:22:40 -0400, Scott Lowe [EMAIL PROTECTED] said:
On 2006-05-06 00:14:58 -0400, Richard E. Silverman [EMAIL PROTECTED] said:
SL == Scott Lowe [EMAIL PROTECTED] writes:
SL I was just a bit caught off-guard by the fact that the
SL authentication (again, via pam_krb5)
In article [EMAIL PROTECTED],
Russ Allbery [EMAIL PROTECTED] wrote:
...
The pam_krb5 modules that I've used either don't do this or only do this
when the keytab is available, presumably doing a security vs. ease of
deployment tradeoff. One difficulty is that if the authentication is not
On Friday, May 05, 2006 09:17:34 PM -0700 Russ Allbery [EMAIL PROTECTED]
wrote:
One difficulty is that if the authentication is not
being done as root, the PAM module needs something other than the host
keytab to use for verification
... or a setuid-0 helper program.
Marcus Watts [EMAIL PROTECTED] writes:
Or it could be using the kerberos 5 library call
krb5_verify_init_creds() to do the same thing. In the latter case there
is in fact an option to control what happens when the keytab is missing.
There are two ways to invoke this:
/1/ compile-time
From: Russ Allbery [EMAIL PROTECTED]
Subject: Re: Presence/absence of the keytab
Date: Fri, 05 May 2006 22:52:19 -0700
Organization: The Eyrie
Message-ID: [EMAIL PROTECTED]
References: [EMAIL PROTECTED]
To: kerberos@MIT.EDU
Marcus Watts [EMAIL PROTECTED] writes:
Or it could be using
On 2006-05-04 14:57:51 -0400, Donn Cave [EMAIL PROTECTED] said:
In article [EMAIL PROTECTED],
Scott Lowe [EMAIL PROTECTED] wrote:
I suppose if I were seeking to use a fully Kerberized server
application that accept Kerberos tickets from Kerberos clients, then a
keytab would be
SL == Scott Lowe [EMAIL PROTECTED] writes:
SL I was just a bit caught off-guard by the fact that the
SL authentication (again, via pam_krb5) worked even when the keytab
SL was not installed.
pam_krb5 verifies your password against Kerberos, right? In that case,
there *should* be a
Richard E Silverman [EMAIL PROTECTED] writes:
SL == Scott Lowe [EMAIL PROTECTED] writes:
SL I was just a bit caught off-guard by the fact that the
SL authentication (again, via pam_krb5) worked even when the keytab
SL was not installed.
pam_krb5 verifies your password against
Richard E. Silverman [EMAIL PROTECTED] and others wrote:
Subject: Re: Presence/absence of the keytab
References: [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
From: Richard E. Silverman [EMAIL
SL == Scott Lowe [EMAIL PROTECTED] writes:
SL Yesterday, however, I was able to successfully authenticate via
SL Kerberos from VMware ESX Server 2.5.3 (the console operating
SL system is Linux-based) *without* generating a keytab. This seems
SL to fly in the face of all the
In article [EMAIL PROTECTED],
Richard E. Silverman [EMAIL PROTECTED] wrote:
SL == Scott Lowe [EMAIL PROTECTED] writes:
SL Yesterday, however, I was able to successfully authenticate via
SL Kerberos from VMware ESX Server 2.5.3 (the console operating
SL system is Linux-based)
In article [EMAIL PROTECTED],
Scott Lowe [EMAIL PROTECTED] wrote:
On 2006-05-04 12:29:53 -0400, Donn Cave [EMAIL PROTECTED] said:
True, though there is a sort of grey area inhabited by services
that use Kerberos to perform password authentication. This is
functionally like kinit, but
BTW. You don't really need a keytab. Windows uses for example its own store
and updates it regularly as part of the system trust key update.
Markus
Donn Cave [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
In article [EMAIL PROTECTED],
Scott Lowe [EMAIL PROTECTED] wrote:
On
On 2006-05-04 12:29:53 -0400, Donn Cave [EMAIL PROTECTED] said:
In article [EMAIL PROTECTED],
Richard E. Silverman [EMAIL PROTECTED] wrote:
SL == Scott Lowe [EMAIL PROTECTED] writes:
SL Yesterday, however, I was able to successfully authenticate via
SL Kerberos from VMware ESX Server
On 2006-05-04 03:38:27 -0400, Richard E. Silverman [EMAIL PROTECTED] said:
SL == Scott Lowe [EMAIL PROTECTED] writes:
SL Yesterday, however, I was able to successfully authenticate via
SL Kerberos from VMware ESX Server 2.5.3 (the console operating
SL system is Linux-based)
BTW. You don't really need a keytab. Windows uses for example its own store
and updates it regularly as part of the system trust key update.
Right, but for all intents and purposes it's effectively the same thing.
The only difference is that Windows stores a string from which the keys
can be
16 matches
Mail list logo