Peter Palfrader <[EMAIL PROTECTED]> writes: > On Thu, 16 Nov 2006, Russ Allbery wrote:
>> This is really annoying to do with a setuid helper program; it requires >> saving a separate ticket cache, chowning that ticket cache to root in >> the helper process, and then validating the ticket. > The way I pictured it, you'ld get the TGT just like now, and with it > request a ticket for the host/`hostname` service. Only that you pass on > to the helper which verifies it by decrypting and returns true or false. Oh, hm. Basically, open a connection to the helper process and essentially do a Kerberos authentication to it using the newly obtained ticket? I hadn't thought of doing it that way. >> I'd rather recommend that people who have this concern provide a >> world-readable keytab for some other, otherwise unprivileged principal >> and let pam-krb5 do validation against it. Allowing someone to specify >> an alternate keytab is easy to do and is already on my to-do list. > Nice and impressing with its simplicity. Looking forward to that > feature. Do you think that would be sufficient? It does require creating a new keytab on the system. (My impression is that most Kerberos users don't care a lot about this issue, but maybe they should more.) Adding it is actually nearly trivial (there will be more lines of documentation added than code), but at this point probably will have to wait (in Debian at least) until after etch. I have a large patch to integrate that adds PKINIT support as well that I promised I'd try to get into the next version. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
