Removal of plaintext krb5 support.

Andrew Bartlett abartlet at
Sat Nov 10 16:21:04 GMT 2001

On a similar vein to the previous message, (and again in HEAD) I would
like to remove the support for using kerberos 5 authentication in a
plain-text mode.  

This support just doesn't make any sense whatsoever, and is insecure.

The problem is that we trust the KDC, but don't verify that trust.  It
is much more secure to use the pam_krb5 module, which has the ability to
verify that trust with the local machine's own keytab, preventing a
spoofed KDC.

This is complementary to the recent addition of *real* kerberos
authentication to smbd and smbclient, so I see little reason for this
functionality.  Finally, even on systems that don't use PAM, it is
possible to add to the system without affecting /bin/login, ie just to
use the better-tested code in pam_krb5.

What is the set of systems using clear-text authentication, not using
PAM and using kerberos 5?

In any case, what I'm after is comments - which I suspect I'll get...

Andrew Bartlett
Andrew Bartlett                                 abartlet at
Samba Team member, Build Farm maintainer        abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list