[Freeipa-devel] Question about pam_krb5 and FreeIPA
Nalin Dahyabhai
nalin at redhat.com
Mon Mar 10 18:30:13 UTC 2008
On Mon, Mar 10, 2008 at 12:15:55AM +0430, mike wrote:
> Unlike Apache, pam_krb5 does not seem to require a service key. My
> understanding is that the service key is used to ensure that the Kerberos
> server is not being spoofed. Could anyone explain why pam_krb5 does not
> seem to require a service key? Is this optional?
Generally, yes, you want to validate against a local key.
More often, though, there is no such key available, so the module uses a
local key it if it can read the configured keytab file, and otherwise it
can only hope that the local administrators know what they're doing.
HTH,
Nalin
More information about the Freeipa-devel
mailing list