Kerberos password authentication module

Per Olofsson pelle at dsv.su.se
Tue May 13 08:47:53 EDT 2014


2014-05-12 19:05, Cantor, Scott skrev:
> On 5/12/14, 12:56 PM, "Per Olofsson" <pelle at dsv.su.se> wrote:
>>
>> I was disappointed, however. The page recommends the Oracle/Sun/OpenJDK
>> Krb5LoginModule, but as has been mentioned before,[2] that module is not
>> able to verify that it is talking to the correct KDC using a keytab.
>
> It's Oracle you probably need to register that disappointment with of
> course.

Absolutely; I certainly do not blame Shibboleth for the deficiences in 
Oracle's module. However, I do blame the wiki page for misleading me 
into thinking that Oracle's module did support keytab verification. (I'm 
sure the author was in turn misled by Oracle's confusing documentation, 
though.)

Fortunately, I tested whether the module used the keytab for 
verification or not before deploying it.

>> I guess I could update the page myself since it's a wiki, but I wanted
>> to check with you first. Am I correct?
>
> Yes.

OK, I have updated the page now.

>
>> If so, what is the recommended
>> solution for Kerberos password authentication in a Shibboleth IdP?
>
> We don't get in the business of recommending what unrelated code people
> choose to run for authentication. There is no code provided by the project
> that is in any way connected to Kerberos, so that means any and all
> options are equally recommended.

OK. I guess I was just thinking that the wiki is "semi-official", since 
the wiki is where you end up when you click on "Documentation" on 
shibboleth.net. But of course, anyone can edit it.

-- 
Pelle


More information about the users mailing list