Removal of plaintext krb5 support.
abartlet at pcug.org.au
Sat Nov 10 16:21:04 GMT 2001
On a similar vein to the previous message, (and again in HEAD) I would
like to remove the support for using kerberos 5 authentication in a
This support just doesn't make any sense whatsoever, and is insecure.
The problem is that we trust the KDC, but don't verify that trust. It
is much more secure to use the pam_krb5 module, which has the ability to
verify that trust with the local machine's own keytab, preventing a
This is complementary to the recent addition of *real* kerberos
authentication to smbd and smbclient, so I see little reason for this
functionality. Finally, even on systems that don't use PAM, it is
possible to add to the system without affecting /bin/login, ie just to
use the better-tested code in pam_krb5.
What is the set of systems using clear-text authentication, not using
PAM and using kerberos 5?
In any case, what I'm after is comments - which I suspect I'll get...
Andrew Bartlett abartlet at pcug.org.au
Samba Team member, Build Farm maintainer abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical