[17470] in Kerberos_V5_Development
Re: idea about modifying pam_krb5 use of krb5_verify_init_creds
daemon@ATHENA.MIT.EDU (Will Fiveash)
Mon Jan 23 14:33:16 2012
Date: Mon, 23 Jan 2012 13:33:10 -0600
From: Will Fiveash <will.fiveash@oracle.com>
To: Russ Allbery <rra@stanford.edu>
Message-ID: <20120123193310.GC29650@oracle.com>
Mail-Followup-To: Russ Allbery <rra@stanford.edu>,
MIT Kerberos Dev List <krbdev@MIT.EDU>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <87pqebxlal.fsf@windlord.stanford.edu>
Cc: MIT Kerberos Dev List <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Sun, Jan 22, 2012 at 05:25:06PM -0800, Russ Allbery wrote:
> Will Fiveash <will.fiveash@oracle.com> writes:
>
> > People may have addressed this already but for Solaris when one has
> > provisioned a krb5.keytab with a host princ and is using pam-krb5 in the
> > pam.conf auth stack, if the hostname changes the pam-krb5 will fail to
> > verify a user's initial krb cred unless there is a host service princ in
> > the krb5.keytab that matches the new hostname. What I'm thinking would
> > be a better way for pam-krb5 to verify a user's initial krb cred is to
> > use a service princ found in the existing keytab and call
> > krb5_verify_init_creds() using that instead of using
> > krb5_sname_to_princ(). In fact, pam-krb5 could get a list of all unique
> > service princ names for the default realm in the keytab and call
> > krb5_verify_init_creds() in a loop until either one succeeds or they all
> > fail. Thoughts?
>
> My preference, rather than putting code into pam-krb5 to read the keytab,
> would be for there to be some way to tell krb5_verify_init_creds to
> internally switch to this behavior.
Yes, that sounds like a better approach. I see from Greg's e-mail on
this thread that MIT has modified krb5_verify_init_creds() to use a
principal taken from the keytab to aquire a ticket for instead of
defaulting to krb5_sname_to_princ().
> This seems similar to, although distinct from, the discussion a while back
> (with patches by Luke Howard) to use principal canonicalization.
I will look for that, thanks.
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
