[Freeipa-devel] Question about pam_krb5 and FreeIPA

[mike]

>> Unlike Apache, pam_krb5 does not seem to require a service key. My
>> understanding is that the service key is used to ensure that the Kerberos
>> server is not being spoofed. Could anyone explain why pam_krb5 does not
>> seem to require a service key? Is this optional?
>
> pam_krb5 can do that using the keyword validate in [appdefaults] pam 
> section.

Shouldn't validation be enabled by default by ipa-client-install?

Mike