[17471] in Kerberos_V5_Development
Re: idea about modifying pam_krb5 use of krb5_verify_init_creds
daemon@ATHENA.MIT.EDU (Will Fiveash)
Mon Jan 23 15:44:37 2012
Date: Mon, 23 Jan 2012 14:44:31 -0600
From: Will Fiveash <will.fiveash@oracle.com>
To: Greg Hudson <ghudson@mit.edu>, MIT Kerberos Dev List <krbdev@mit.edu>
Message-ID: <20120123204431.GD29650@oracle.com>
Mail-Followup-To: Greg Hudson <ghudson@mit.edu>,
MIT Kerberos Dev List <krbdev@mit.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20120123192903.GB29650@oracle.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, Jan 23, 2012 at 01:29:03PM -0600, Will Fiveash wrote:
> On Mon, Jan 23, 2012 at 12:34:49AM -0500, Greg Hudson wrote:
> > On 01/22/2012 08:17 PM, Will Fiveash wrote:
> > > What I'm thinking would
> > > be a better way for pam-krb5 to verify a user's initial krb cred is to
> > > use a service princ found in the existing keytab and call
> > > krb5_verify_init_creds() using that instead of using
> > > krb5_sname_to_princ().
> >
> > In MIT krb5 1.10, krb5_verify_init_creds() will use the first principal
> > in the keytab by default. See RT #6887 or r24749.
>
> That seems like it would solve the issue I brought up but I still wonder
> if that is enough effort given that the consequence of
> krb5_verify_init_creds() failing is a user not being able to login. Did
> you consider trying all the service princs found in the krb5.keytab in a
> loop until either verification succeeds or there are no more unique
> service princs to acquire a ticket for?
Also it could be useful in the case that the caller of
krb5_verify_init_creds() doesn't specify a server that
krb5_verify_init_creds() set an output parameter to the name of the
service princ it used in successfully verifying a user's TGT. Given
krb5_verify_init_creds() is part of the public krb API does it make
sense to create krb5_verify_init_creds_ext() to provide this capability?
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
