[7613] in Kerberos
Re: Kerberos v5 internals - password changing
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Thu Jul 11 01:02:38 1996
To: kerberos@MIT.EDU
Date: 10 Jul 1996 23:51:04 -0400
From: kenh@cmf.nrl.navy.mil (Ken Hornstein)
In article <4s0qp7$n4t@azure.acsu.buffalo.edu>,
Matthew D Stock <stock@acsu.buffalo.edu> wrote:
>Hi. I'm in need of some help untangling the v5 kadmind sources. I need to
>make some modifications to the server to do password syncronization between
>kerberos principals and NIS+. I've found the function I need to add the
>NIS+ password changing code to (passwd_change() - duh!), but I have some
>questions about how the data is stored.
>
>Given the data in the various krb5 data structures, how can I determine the
>username and new password of the given user? Given the pricipal name I can
>make some assumptions to give me the username, but I'm not familiar with
>the code enough to know how this is stored. Ditto for the new passwd.
The username is typically stored as "username@realm". You can get a
db entry for that username by converting the username info a principal
with krb5_parse_name(), and then calling krb5_db_get_principal().
(Look at the source to kdb5_edit, particularly cpw.c);
In the database, the password is converted to an encryption key (this is
done by calling krb5_string_to_key() with the appropriate salt type),
and then encrypted with the database master key.
If you want to save yourself time, you can just call krb5_dbe_cpw() with
the text password - that does all the right magic. Look at cpw.c to see
how this works.
--Ken
