Kerberos password authentication module
Per Olofsson
pelle at dsv.su.se
Tue May 13 08:47:53 EDT 2014
2014-05-12 19:05, Cantor, Scott skrev:
> On 5/12/14, 12:56 PM, "Per Olofsson" <pelle at dsv.su.se> wrote:
>>
>> I was disappointed, however. The page recommends the Oracle/Sun/OpenJDK
>> Krb5LoginModule, but as has been mentioned before,[2] that module is not
>> able to verify that it is talking to the correct KDC using a keytab.
>
> It's Oracle you probably need to register that disappointment with of
> course.
Absolutely; I certainly do not blame Shibboleth for the deficiences in
Oracle's module. However, I do blame the wiki page for misleading me
into thinking that Oracle's module did support keytab verification. (I'm
sure the author was in turn misled by Oracle's confusing documentation,
though.)
Fortunately, I tested whether the module used the keytab for
verification or not before deploying it.
>> I guess I could update the page myself since it's a wiki, but I wanted
>> to check with you first. Am I correct?
>
> Yes.
OK, I have updated the page now.
>
>> If so, what is the recommended
>> solution for Kerberos password authentication in a Shibboleth IdP?
>
> We don't get in the business of recommending what unrelated code people
> choose to run for authentication. There is no code provided by the project
> that is in any way connected to Kerberos, so that means any and all
> options are equally recommended.
OK. I guess I was just thinking that the wiki is "semi-official", since
the wiki is where you end up when you click on "Documentation" on
shibboleth.net. But of course, anyone can edit it.
--
Pelle
More information about the users
mailing list