[17469] in Kerberos_V5_Development
Re: idea about modifying pam_krb5 use of krb5_verify_init_creds
daemon@ATHENA.MIT.EDU (Will Fiveash)
Mon Jan 23 14:29:13 2012
Date: Mon, 23 Jan 2012 13:29:03 -0600
From: Will Fiveash <will.fiveash@oracle.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20120123192903.GB29650@oracle.com>
Mail-Followup-To: Greg Hudson <ghudson@mit.edu>,
MIT Kerberos Dev List <krbdev@mit.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <4F1CF179.5000601@mit.edu>
Cc: MIT Kerberos Dev List <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, Jan 23, 2012 at 12:34:49AM -0500, Greg Hudson wrote:
> On 01/22/2012 08:17 PM, Will Fiveash wrote:
> > What I'm thinking would
> > be a better way for pam-krb5 to verify a user's initial krb cred is to
> > use a service princ found in the existing keytab and call
> > krb5_verify_init_creds() using that instead of using
> > krb5_sname_to_princ().
>
> In MIT krb5 1.10, krb5_verify_init_creds() will use the first principal
> in the keytab by default. See RT #6887 or r24749.
That seems like it would solve the issue I brought up but I still wonder
if that is enough effort given that the consequence of
krb5_verify_init_creds() failing is a user not being able to login. Did
you consider trying all the service princs found in the krb5.keytab in a
loop until either verification succeeds or there are no more unique
service princs to acquire a ticket for?
> Also, Russ's pam-krb5 appears to have code to do what you suggest if a
> keytab configuration parameter is specified (but not if the default
> keytab is used, I think).
Good to know, thanks.
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
