[17467] in Kerberos_V5_Development
Re: idea about modifying pam_krb5 use of krb5_verify_init_creds
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jan 23 00:34:59 2012
Message-ID: <4F1CF179.5000601@mit.edu>
Date: Mon, 23 Jan 2012 00:34:49 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: MIT Kerberos Dev List <krbdev@mit.edu>
In-Reply-To: <20120123011736.GA15450@oracle.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 01/22/2012 08:17 PM, Will Fiveash wrote:
> What I'm thinking would
> be a better way for pam-krb5 to verify a user's initial krb cred is to
> use a service princ found in the existing keytab and call
> krb5_verify_init_creds() using that instead of using
> krb5_sname_to_princ().
In MIT krb5 1.10, krb5_verify_init_creds() will use the first principal
in the keytab by default. See RT #6887 or r24749.
Also, Russ's pam-krb5 appears to have code to do what you suggest if a
keytab configuration parameter is specified (but not if the default
keytab is used, I think).
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
