Removal of plaintext krb5 support.
Christopher R. Hertel
crh at nts.umn.edu
Mon Nov 12 12:11:32 GMT 2001
>
> >The problem is that we trust the KDC, but don't verify that trust. It
> >is much more secure to use the pam_krb5 module, which has the ability to
> >verify that trust with the local machine's own keytab, preventing a
> >spoofed KDC.
>
> I think this is the right thing to do. Using Kerberos to verify
> plaintext passwords is not in the spirit of the protocol, and
> even though there are often good reasons for doing this, it
> would be better to avoid duplicating code and force the use of
> PAM and pam_krb5.
Keeping in mind, as A.B. pointed out, that not all of the supported
platforms can run PAM.
What work-around exists for non-PAM systems?
Chris -)-----
--
Christopher R. Hertel -)----- University of Minnesota
crh at nts.umn.edu Networking and Telecommunications Services
Ideals are like stars; you will not succeed in touching them
with your hands...you choose them as your guides, and following
them you will reach your destiny. --Carl Schultz
More information about the samba-technical
mailing list