Our security tooling is flagging potential vulnerabilities in krb5, for the sake of this question lets just assume Kerberos is not a value add for me.
We do not use Kerberos for authentication to this server, everything is handled through Amazon System Manager (SSM), which uses SSH keys to authenticate.
As a result I thought the simple solution would be to disable Kerberos based authentication.
I have thought of two potential ways to do this so far, but wanted to check that I didn't break anything:
- In Ubuntu Kerberos auth should be handled by the pam-auth-update utility. So removing pam-auth-update should delete Kerberos. However, it might also delete other important things?
- The other option I thought of was to go into etc/services and delete krb5kdc/kpropd/etc. entries. Not sure though if this will leave pieces of Kerberos lying around and I dont have a full list of services that Kerberos uses.
Then finally, should I be doing this at all? Is this a bad idea, if I know I do not want to use Kerberos auth ever on this server?
Asked by Tory Spelling
(1 rep)
Nov 1, 2024, 03:31 AM
Last activity: Nov 1, 2024, 03:32 AM
Last activity: Nov 1, 2024, 03:32 AM