Removal of plaintext krb5 support.

Christopher R. Hertel crh at
Mon Nov 12 12:11:32 GMT 2001

> >The problem is that we trust the KDC, but don't verify that trust.  It
> >is much more secure to use the pam_krb5 module, which has the ability to
> >verify that trust with the local machine's own keytab, preventing a
> >spoofed KDC.
> I think this is the right thing to do. Using Kerberos to verify
> plaintext passwords is not in the spirit of the protocol, and
> even though there are often good reasons for doing this, it
> would be better to avoid duplicating code and force the use of
> PAM and pam_krb5.

Keeping in mind, as A.B. pointed out, that not all of the supported 
platforms can run PAM.

What work-around exists for non-PAM systems?

Chris -)-----

Christopher R. Hertel -)-----                   University of Minnesota
crh at              Networking and Telecommunications Services

    Ideals are like stars; you will not succeed in touching them
    with your choose them as your guides, and following
    them you will reach your destiny.  --Carl Schultz

More information about the samba-technical mailing list