Kerberos password authentication module
Per Olofsson
pelle at dsv.su.se
Mon May 12 12:56:37 EDT 2014
Hi,
We have been running a Shibboleth IdP behind Stanford WebAuth (using a
Kerberos KDC), but I am now planning to switch to running Shibboleth
only, as we do not have any WebAuth services anymore. So, I was reading
the wiki and found the IdPAuthUserPass[1] page which talks about
Kerberos password authentication.
I was disappointed, however. The page recommends the Oracle/Sun/OpenJDK
Krb5LoginModule, but as has been mentioned before,[2] that module is not
able to verify that it is talking to the correct KDC using a keytab.
What is more confusing, the wiki recommends specifiying a keytab to the
module, which is certainly not the right thing to do (the keyTab option
supplied to the module is used instead of a password when getting a
ticket, not for verifying the ticket/KDC).
I guess I could update the page myself since it's a wiki, but I wanted
to check with you first. Am I correct? If so, what is the recommended
solution for Kerberos password authentication in a Shibboleth IdP? What
are others doing?
Thanks in advance.
[1] https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass
[2]
https://lists.internet2.edu/sympa/arc/shibboleth-users/2010-10/msg00240.html
--
Pelle
More information about the users
mailing list