[15859] in Kerberos_V5_Development
Re: SWIG
daemon@ATHENA.MIT.EDU (Phil Ehrens)
Sat May 29 01:33:53 2010
Date: Fri, 28 May 2010 17:30:55 -0700
From: Phil Ehrens <pehrens@ligo.caltech.edu>
To: krbdev@mit.edu
Message-ID: <20100529003054.GB11411@ligo.caltech.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1275087721.2419.708.camel@ray>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Greg Hudson wrote:
> On Fri, 2010-05-28 at 14:25 -0400, Phil Ehrens wrote:
> > I had no trouble wrapping krb5_get_init_creds_password
> > to do password verification, but I would also like to
> > wrap the kadmin functions.
>
> Be aware that krb5_get_init_creds_password can't securely verify
> passwords by itself. The same person who is feeding you the password
> can, in many cases, also impersonate a KDC and cause a successful
> initial credentials exchange to occur. (This is often called the
> "Zanarotti attack," after the first person to think it up.)
>
> If you have a host key available, you can use krb5_verify_init_creds()
> to ensure that the KDC which issued tickets for the user is also in
> possession of your host key, and is therefore the real KDC.
Thank you, I will add that to my wrapper.
> > There are a few usable interfaces to these functions
> > for various scripting languages, but I think a generic
> > SWIG wrapper would be a far more useful thing, and far
> > more attractive to maintainers.
>
> Unfortunately, we are not 100% comfortable with the API of our admin
> interface. We only started installing the header file in the 1.7
> release, and we did so with a big disclaimer saying that it can change
> from version to version (unlike the main krb5 API).
There is no disclaimer in kadmin.h in 1.7, 1.7.1, or 1.8.1.
> A tailored wrapper can adapt to underlying C API changes, but I think
> that's harder to do with a SWIG wrapper.
I don't understand why you feel that way, but please don't
feel obliged to explain, because it's not something that
we need necessarily agree about!
> > If someone could provide me with pseudocode or a C
> > function that contains all the krb5 calls required
> > to do a "get_query" call and clean up afterwards,
> > I think I would be able to do the rest. I'm just
> > having a hard time picking out the required call
> > sequence.
>
> You could look at what the kadmin client does. It's basically:
>
> kadm5_init_krb5_context
> kadm5_init_with_password (or similar, as appropriate)
> kadm5_get_principal
> kadm5_destroy
> krb5_free_context
That is exactly what I wanted! Thank you for the help!
Phil
--
Phil Ehrens <pehrens@ligo.caltech.edu>| mm
The LIGO Laboratory, MS 18-34 | /^( )^\
California Institute of Technology | \,(..),/
1200 East California Blvd. | V~~V
Pasadena, CA 91125 USA | My gpg public key:
Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev