[24155] in Kerberos
Re: Programming in Kerberos
daemon@ATHENA.MIT.EDU (Wyllys Ingersoll)
Tue Jun 28 14:16:37 2005
Message-ID: <42C193CD.10904@sun.com>
Date: Tue, 28 Jun 2005 14:15:41 -0400
From: Wyllys Ingersoll <wyllys.ingersoll@sun.com>
MIME-Version: 1.0
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <87wtof7da7.fsf@windlord.stanford.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Russ Allbery wrote:
> Wyllys Ingersoll <wyllys.ingersoll@sun.com> writes:
>
> > Ideally, you wouldn't use the KRB5 APIs at all, you would use
> > GSSAPI instead - it is standard and portable across implementations
> > and platforms.
>
>
> Hm, is there a way to use GSSAPI to do password verification? It's
> annoying that one has to do this, but alas it's still fairly common
> to have to send a Kerberos username/password pair over a TLS
> connection to be verified on the server. GSSAPI client support is
> slow to materialize.
>
Unfortunately, not in a standard way. In Solaris, we have implemented
a "gss_acquire_cred_with_password" function that does what you are asking
for, but it is not part of other GSSAPI implementations as far as I know.
There are proposals in the KITTEN WG for extending GSSAPI to do
things like this in the next spec, though.
-Wyllys
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos