Removal of plaintext krb5 support.

[Andrew Bartlett]

On a similar vein to the previous message, (and again in HEAD) I would
like to remove the support for using kerberos 5 authentication in a
plain-text mode.  

This support just doesn't make any sense whatsoever, and is insecure.

The problem is that we trust the KDC, but don't verify that trust.  It
is much more secure to use the pam_krb5 module, which has the ability to
verify that trust with the local machine's own keytab, preventing a
spoofed KDC.

This is complementary to the recent addition of *real* kerberos
authentication to smbd and smbclient, so I see little reason for this
functionality.  Finally, even on systems that don't use PAM, it is
possible to add to the system without affecting /bin/login, ie just to
use the better-tested code in pam_krb5.

What is the set of systems using clear-text authentication, not using
PAM and using kerberos 5?

In any case, what I'm after is comments - which I suspect I'll get...

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Samba Team member, Build Farm maintainer        abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net