[15858] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: SWIG

daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri May 28 19:02:06 2010

From: Greg Hudson <ghudson@mit.edu>
To: Phil Ehrens <pehrens@ligo.caltech.edu>
In-Reply-To: <20100528182507.GB10830@ligo.caltech.edu>
Date: Fri, 28 May 2010 19:02:01 -0400
Message-ID: <1275087721.2419.708.camel@ray>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On Fri, 2010-05-28 at 14:25 -0400, Phil Ehrens wrote:
> I had no trouble wrapping krb5_get_init_creds_password
> to do password verification, but I would also like to
> wrap the kadmin functions.

Be aware that krb5_get_init_creds_password can't securely verify
passwords by itself.  The same person who is feeding you the password
can, in many cases, also impersonate a KDC and cause a successful
initial credentials exchange to occur.  (This is often called the
"Zanarotti attack," after the first person to think it up.)

If you have a host key available, you can use krb5_verify_init_creds()
to ensure that the KDC which issued tickets for the user is also in
possession of your host key, and is therefore the real KDC.

> There are a few usable interfaces to these functions
> for various scripting languages, but I think a generic
> SWIG wrapper would be a far more useful thing, and far
> more attractive to maintainers.

Unfortunately, we are not 100% comfortable with the API of our admin
interface.  We only started installing the header file in the 1.7
release, and we did so with a big disclaimer saying that it can change
from version to version (unlike the main krb5 API).

A tailored wrapper can adapt to underlying C API changes, but I think
that's harder to do with a SWIG wrapper.

> If someone could provide me with pseudocode or a C
> function that contains all the krb5 calls required
> to do a "get_query" call and clean up afterwards,
> I think I would be able to do the rest. I'm just
> having a hard time picking out the required call
> sequence.

You could look at what the kadmin client does.  It's basically:

  kadm5_init_krb5_context
  kadm5_init_with_password (or similar, as appropriate)
  kadm5_get_principal
  kadm5_destroy
  krb5_free_context


_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post