Kerberos password authentication module

Per Olofsson pelle at
Mon May 12 12:56:37 EDT 2014


We have been running a Shibboleth IdP behind Stanford WebAuth (using a 
Kerberos KDC), but I am now planning to switch to running Shibboleth 
only, as we do not have any WebAuth services anymore. So, I was reading 
the wiki and found the IdPAuthUserPass[1] page which talks about 
Kerberos password authentication.

I was disappointed, however. The page recommends the Oracle/Sun/OpenJDK 
Krb5LoginModule, but as has been mentioned before,[2] that module is not 
able to verify that it is talking to the correct KDC using a keytab. 
What is more confusing, the wiki recommends specifiying a keytab to the 
module, which is certainly not the right thing to do (the keyTab option 
supplied to the module is used instead of a password when getting a 
ticket, not for verifying the ticket/KDC).

I guess I could update the page myself since it's a wiki, but I wanted 
to check with you first. Am I correct? If so, what is the recommended 
solution for Kerberos password authentication in a Shibboleth IdP? What 
are others doing?

Thanks in advance.



More information about the users mailing list