[Freeipa-devel] Question about pam_krb5 and FreeIPA

[Simo Sorce]

mike wrote:
> Unlike Apache, pam_krb5 does not seem to require a service key. My
> understanding is that the service key is used to ensure that the Kerberos
> server is not being spoofed. Could anyone explain why pam_krb5 does not
> seem to require a service key? Is this optional?

pam_krb5 can do that using the keyword validate in [appdefaults] pam 
section.

Simo.