[16598] in Kerberos_V5_Development
Re: question about krb5_verify_init_creds() and verify_ap_req_nofail
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Jan 15 19:40:59 2011
From: Greg Hudson <ghudson@mit.edu>
To: Will Fiveash <will.fiveash@oracle.com>
In-Reply-To: <20110114212150.GE22291@sun.com>
Date: Sat, 15 Jan 2011 19:40:51 -0500
Message-ID: <1295138451.2456.486.camel@ray>
Mime-Version: 1.0
Cc: Sam Hartman <hartmans@mit.edu>, MIT Kerberos Dev List <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, 2011-01-14 at 16:21 -0500, Will Fiveash wrote:
> If that is true, shouldn't the
> MIT default be more restrictive and require and admin to explictly set
> verify_ap_req_nofail to false in krb5.conf if they are less concerned
> about KDC spoofing?
Perhaps if we were designing the feature today. But if we were to
change the default in, say, 1.10, that would play havoc on sites using
pam_krb5 on unkeyed systems.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
