Kerberos password authentication module
pelle at dsv.su.se
Mon May 12 12:56:37 EDT 2014
We have been running a Shibboleth IdP behind Stanford WebAuth (using a
Kerberos KDC), but I am now planning to switch to running Shibboleth
only, as we do not have any WebAuth services anymore. So, I was reading
the wiki and found the IdPAuthUserPass page which talks about
Kerberos password authentication.
I was disappointed, however. The page recommends the Oracle/Sun/OpenJDK
Krb5LoginModule, but as has been mentioned before, that module is not
able to verify that it is talking to the correct KDC using a keytab.
What is more confusing, the wiki recommends specifiying a keytab to the
module, which is certainly not the right thing to do (the keyTab option
supplied to the module is used instead of a password when getting a
ticket, not for verifying the ticket/KDC).
I guess I could update the page myself since it's a wiki, but I wanted
to check with you first. Am I correct? If so, what is the recommended
solution for Kerberos password authentication in a Shibboleth IdP? What
are others doing?
Thanks in advance.
More information about the users