Kerberos password authentication module
Cantor, Scott
cantor.2 at osu.edu
Mon May 12 13:05:06 EDT 2014
On 5/12/14, 12:56 PM, "Per Olofsson" <pelle at dsv.su.se> wrote:
>
>I was disappointed, however. The page recommends the Oracle/Sun/OpenJDK
>Krb5LoginModule, but as has been mentioned before,[2] that module is not
>able to verify that it is talking to the correct KDC using a keytab.
It's Oracle you probably need to register that disappointment with of
course.
>
>I guess I could update the page myself since it's a wiki, but I wanted
>to check with you first. Am I correct?
Yes.
> If so, what is the recommended
>solution for Kerberos password authentication in a Shibboleth IdP?
We don't get in the business of recommending what unrelated code people
choose to run for authentication. There is no code provided by the project
that is in any way connected to Kerberos, so that means any and all
options are equally recommended.
> What are others doing?
I use the Oracle module because the network between my servers and the
KDCs is essentially internal and I operate both (or have access to both
anyway).
I would like to produce a module for V3 that does a keytab check, but
there are many higher priorities. It would be a very nice contribution for
somebody else to make since it has essentially nothing to do with
Shibboleth.
-- Scott
More information about the users
mailing list