Kerberos password authentication module

Cantor, Scott cantor.2 at
Mon May 12 13:05:06 EDT 2014

On 5/12/14, 12:56 PM, "Per Olofsson" <pelle at> wrote:
>I was disappointed, however. The page recommends the Oracle/Sun/OpenJDK
>Krb5LoginModule, but as has been mentioned before,[2] that module is not
>able to verify that it is talking to the correct KDC using a keytab.

It's Oracle you probably need to register that disappointment with of

>I guess I could update the page myself since it's a wiki, but I wanted
>to check with you first. Am I correct?


> If so, what is the recommended
>solution for Kerberos password authentication in a Shibboleth IdP?

We don't get in the business of recommending what unrelated code people
choose to run for authentication. There is no code provided by the project
that is in any way connected to Kerberos, so that means any and all
options are equally recommended.

> What are others doing?

I use the Oracle module because the network between my servers and the
KDCs is essentially internal and I operate both (or have access to both

I would like to produce a module for V3 that does a keytab check, but
there are many higher priorities. It would be a very nice contribution for
somebody else to make since it has essentially nothing to do with

-- Scott

More information about the users mailing list