[38175] in Kerberos
Re: krb5_verify_user
daemon@ATHENA.MIT.EDU (Simo Sorce)
Tue Jan 16 16:08:43 2018
Message-ID: <1516136901.3239.147.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Imanuel Greenfeld <imanuel.greenfeld1@ntlworld.com>,
"'Benjamin Kaduk'"
<kaduk@mit.edu>
Date: Tue, 16 Jan 2018 16:08:21 -0500
In-Reply-To: <000801d38efd$10df3510$329d9f30$@ntlworld.com>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
If you need to use kerberos over HTTP you should probably use at
existing projects and reuse those, look for mod_auth_gssapi (C module
for Apache) or request-gssapi (python module that uses python-gssapi
for python-requests) and other similar efforts.
They all implement the SPNEGO RFCs: 4178, 4559 for example.
HTH,
Simo.
On Tue, 2018-01-16 at 19:06 +0000, Imanuel Greenfeld wrote:
> Hello Ben,
>
> Thanks for your advice.
>
> I understand it much better now.
>
> I'm getting a token back from the KDC - it's huge encrypted string.
>
> I need to incorporate that into my HTTP request. I'm thinking whether it
> I'll get through the authentication by adding this to HTTP header.
>
> The HTTP headers I looked at had :- Authorization: Basic <token>
>
> For example : Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1
>
> Any ideas how I can do that ? Should I treat is as a string ?
>
> Thanks
>
> Imanuel.
>
>
>
>
> -----Original Message-----
> From: Benjamin Kaduk [mailto:kaduk@mit.edu]
> Sent: 09 January 2018 00:15
> To: Imanuel Greenfeld <imanuel.greenfeld1@ntlworld.com>
> Cc: kerberos@mit.edu
> Subject: Re: krb5_verify_user
>
> On Mon, Jan 08, 2018 at 09:49:06PM +0000, Imanuel Greenfeld wrote:
> > Hello,
> >
> >
> >
> > Hope you're well.
> >
> >
> >
> > Happy new year.
> >
> >
> >
> > I am looking for krb5_verify_user function under krb5/krb5.h and in
> > fact anywhere but cannot find it.
> >
> >
> >
> > I know it's not recommended to use it with the password, but I want to
> > see if I can prove the point.
> >
> >
> >
> > I am therefore getting compilation error for the function needing a
> > prototype.
> >
> >
> >
> > I'm using 1.16 and also tried on 1.15.2
> >
> >
> >
> > Any ideas please ?
>
> krb5_verify_user() is a function in the Heimdal implementation of Kerberos,
> but is not present in MIT krb5.
>
> Upon cursory examination, it seems that
> krb5_get_init_creds_password() and krb5_verify_init_creds() together might
> be a suitable replacement. Note that it requires the caller to have access
> to a service keytab (and the principal name must be specified if it is not
> host/<localhost>).
>
> -Ben
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
