Re: Presence/absence of the keytab

2006-05-16 Thread Scott Lowe
On 2006-05-08 13:22:40 -0400, Scott Lowe [EMAIL PROTECTED] said: On 2006-05-06 00:14:58 -0400, Richard E. Silverman [EMAIL PROTECTED] said: SL == Scott Lowe [EMAIL PROTECTED] writes: SL I was just a bit caught off-guard by the fact that the SL authentication (again, via pam_krb5)

Re: Presence/absence of the keytab

2006-05-09 Thread Donn Cave
In article [EMAIL PROTECTED], Russ Allbery [EMAIL PROTECTED] wrote: ... The pam_krb5 modules that I've used either don't do this or only do this when the keytab is available, presumably doing a security vs. ease of deployment tradeoff. One difficulty is that if the authentication is not

Re: Presence/absence of the keytab

2006-05-09 Thread Jeffrey Hutzelman
On Friday, May 05, 2006 09:17:34 PM -0700 Russ Allbery [EMAIL PROTECTED] wrote: One difficulty is that if the authentication is not being done as root, the PAM module needs something other than the host keytab to use for verification ... or a setuid-0 helper program.

Re: Presence/absence of the keytab

2006-05-06 Thread Russ Allbery
Marcus Watts [EMAIL PROTECTED] writes: Or it could be using the kerberos 5 library call krb5_verify_init_creds() to do the same thing. In the latter case there is in fact an option to control what happens when the keytab is missing. There are two ways to invoke this: /1/ compile-time

Re: Presence/absence of the keytab

2006-05-06 Thread Marcus Watts
From: Russ Allbery [EMAIL PROTECTED] Subject: Re: Presence/absence of the keytab Date: Fri, 05 May 2006 22:52:19 -0700 Organization: The Eyrie Message-ID: [EMAIL PROTECTED] References: [EMAIL PROTECTED] To: kerberos@MIT.EDU Marcus Watts [EMAIL PROTECTED] writes: Or it could be using

Re: Presence/absence of the keytab

2006-05-05 Thread Scott Lowe
On 2006-05-04 14:57:51 -0400, Donn Cave [EMAIL PROTECTED] said: In article [EMAIL PROTECTED], Scott Lowe [EMAIL PROTECTED] wrote: I suppose if I were seeking to use a fully Kerberized server application that accept Kerberos tickets from Kerberos clients, then a keytab would be

Re: Presence/absence of the keytab

2006-05-05 Thread Richard E. Silverman
SL == Scott Lowe [EMAIL PROTECTED] writes: SL I was just a bit caught off-guard by the fact that the SL authentication (again, via pam_krb5) worked even when the keytab SL was not installed. pam_krb5 verifies your password against Kerberos, right? In that case, there *should* be a

Re: Presence/absence of the keytab

2006-05-05 Thread Russ Allbery
Richard E Silverman [EMAIL PROTECTED] writes: SL == Scott Lowe [EMAIL PROTECTED] writes: SL I was just a bit caught off-guard by the fact that the SL authentication (again, via pam_krb5) worked even when the keytab SL was not installed. pam_krb5 verifies your password against

Re: Presence/absence of the keytab

2006-05-05 Thread Marcus Watts
Richard E. Silverman [EMAIL PROTECTED] and others wrote: Subject: Re: Presence/absence of the keytab References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] From: Richard E. Silverman [EMAIL

Re: Presence/absence of the keytab

2006-05-04 Thread Richard E. Silverman
SL == Scott Lowe [EMAIL PROTECTED] writes: SL Yesterday, however, I was able to successfully authenticate via SL Kerberos from VMware ESX Server 2.5.3 (the console operating SL system is Linux-based) *without* generating a keytab. This seems SL to fly in the face of all the

Re: Presence/absence of the keytab

2006-05-04 Thread Donn Cave
In article [EMAIL PROTECTED], Richard E. Silverman [EMAIL PROTECTED] wrote: SL == Scott Lowe [EMAIL PROTECTED] writes: SL Yesterday, however, I was able to successfully authenticate via SL Kerberos from VMware ESX Server 2.5.3 (the console operating SL system is Linux-based)

Re: Presence/absence of the keytab

2006-05-04 Thread Donn Cave
In article [EMAIL PROTECTED], Scott Lowe [EMAIL PROTECTED] wrote: On 2006-05-04 12:29:53 -0400, Donn Cave [EMAIL PROTECTED] said: True, though there is a sort of grey area inhabited by services that use Kerberos to perform password authentication. This is functionally like kinit, but

Re: Presence/absence of the keytab

2006-05-04 Thread Markus Moeller
BTW. You don't really need a keytab. Windows uses for example its own store and updates it regularly as part of the system trust key update. Markus Donn Cave [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] In article [EMAIL PROTECTED], Scott Lowe [EMAIL PROTECTED] wrote: On

Re: Presence/absence of the keytab

2006-05-04 Thread Scott Lowe
On 2006-05-04 12:29:53 -0400, Donn Cave [EMAIL PROTECTED] said: In article [EMAIL PROTECTED], Richard E. Silverman [EMAIL PROTECTED] wrote: SL == Scott Lowe [EMAIL PROTECTED] writes: SL Yesterday, however, I was able to successfully authenticate via SL Kerberos from VMware ESX Server

Re: Presence/absence of the keytab

2006-05-04 Thread Scott Lowe
On 2006-05-04 03:38:27 -0400, Richard E. Silverman [EMAIL PROTECTED] said: SL == Scott Lowe [EMAIL PROTECTED] writes: SL Yesterday, however, I was able to successfully authenticate via SL Kerberos from VMware ESX Server 2.5.3 (the console operating SL system is Linux-based)

Re: Presence/absence of the keytab

2006-05-04 Thread Luke Howard
BTW. You don't really need a keytab. Windows uses for example its own store and updates it regularly as part of the system trust key update. Right, but for all intents and purposes it's effectively the same thing. The only difference is that Windows stores a string from which the keys can be