On Jun 15, 2015, at 10:36 AM, Isaac Boukris <iboukris@gmail.com> wrote:
On Sun, Jun 14, 2015 at 10:19 PM, brendan kearney <bpk678@gmail.com> wrote:
Well, keytab contains the key[s] (which may have been derived from user's secret) so AFAI understand they are password equivalent.
Regards, Isaac B.
agreed, hence my "less insecure" notion, but those Risk Management types can check their check box about passwords not being stored in the clear on the file system.
To be more accurate it might depend on the key type. Generally RC4 keys are unsalted hash of the password (specifically nt-hash, see RFC 4757). Perhaps salted keys could be considered somewhat better.
Ok, well for service authentication, as Isaac quite rightly said, KRB5_CLIENT_KTNAME is the environmental variable you need to specify the keytab. Once you have that set, SASL/GSSAPI should just work in v3.0.x HEAD rlm_ldap. I got about 70% through writing the used auth/autz modifications last night, i'll try push those up today. They'll be v3.1.x only until someone tests them and verifies they work, and don't break other kerberos operations. -Arran