Re: SASL re-entrancy crisis (was: OpenLDAP 2.0.x + pam_ldap + cyrus-imapd-2.0.x)

[GOMBAS Gabor]

On Wed, Aug 08, 2001 at 04:12:43PM -0700, [EMAIL PROTECTED] wrote:

> Aehm! Please persuse, at your leasure, the man page
>   http://sunsite.queensu.ca/cgi-bin/man-cgi?pam_krb5+5
> or the rpm summary
>   http://www.redhat.com/swr/i386/pam_krb5-1-7.i386.html
> for pam_krb5, and feel free to download this supposedly nonexistent 
> module.

Ok, I modify my opinion: you know nothing about Kerberos. pam_krb5 does
_not_ do Kerberos authentication. What it does is checking a clear text
password using Kerberos - the thing Kerberos was designed to _prevent_.

pam_krb5 is a last resort if you absolutely need to support applications
not having native Kerberos/GSSAPI support. If you are not careful enough,
using pam_krb5 can be a major security hole in your authentication system.

Gabor

-- 
Gabor Gombas                                       Eotvos Lorand University
E-mail: [EMAIL PROTECTED]                        Hungary