Removal of plaintext krb5 support.

Luke Howard lukeh at PADL.COM
Sat Nov 10 21:59:02 GMT 2001

>The problem is that we trust the KDC, but don't verify that trust.  It
>is much more secure to use the pam_krb5 module, which has the ability to
>verify that trust with the local machine's own keytab, preventing a
>spoofed KDC.

I think this is the right thing to do. Using Kerberos to verify
plaintext passwords is not in the spirit of the protocol, and
even though there are often good reasons for doing this, it
would be better to avoid duplicating code and force the use of
PAM and pam_krb5.

-- Luke

Luke Howard |
PADL Software |

More information about the samba-technical mailing list