|
|
Re: libnss-ldap authenticate with host keytab?: msg#00031ldap.padl.nss
>Anyway, I'm using simple "use_sasl on" and "SASL_MECH GSSAPI" so that the user >running the nss query uses their own existing kerberos ticket instead of the >system one. This is not perfect, however, since some local users won't have This is a security hole -- a user and rogue KDC could collude to escalate privilege. You must use the system ccache. >This problem would ideally be moot, since the system would ideally use the >host key, but since the nss call is made with the invoking user privileges, I >was unable to determine how to not have the host ccache world-readable. Is >there a way to have the ccache root-owned and filemode 600 to avoid the >Kerberos TGT being available for all local users? KCM has some workarounds for this. -- Luke -- |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | nss-ldap compiled on Sol 9: 00031, Mark Loudin (sent by Nabble.com) |
|---|---|
| Next by Date: | Unable to get information from a non local host LDAP server: 00031, Erling (sent by Nabble.com) |
| Previous by Thread: | Re: libnss-ldap authenticate with host keytab?i: 00031, Luke Howard |
| Next by Thread: | Re: libnss-ldap authenticate with host keytab?: 00031, Luke Howard |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |