GSS-API userok

Fredrik Tolf fredrik at dolda2000.com
Sun Aug 22 20:28:37 EDT 2004


Hi!

I'm a mere home admin, always striving for greater Kerberization of my
network. In all this relentless striving, I hit a question, for which I
have not been able to found an answer. Thus, I'm turning to this
newsgroup in hope of help.

When doing normal krb5 authorization, you call the krb5_kuserok
function, which checks the passed principal against the user's
~/.k5login file for authorization info, right? At least that's how I've
done it in my own programs, so I hope that's correct... ;-)

I haven't been programming any with GSS-API, though, but I'm using
programs that authenticate with GSS-API (like UW-IMAP). I have no idea
how this authorization process works over GSS-API, however. Would anyone
be as kind as to enlighten me (or point me to any authoritative docs on
the matter, that I haven't been able to find)?

The primary reason I'm asking is that my sisters, using our home
network, have their display managers (gdm) set to log them in
automatically without password authentication (That's how much they care
about security... :-/ ). Up until now, they haven't been able to use
Kerberized services, but recently I found out that I can simply ktadd
their principals into a private keytab of theirs and use "ktinit -k -
t /path/to/keytab" to create their krb creds. This discovery will, of
course, be even more useful when I'll be switching to Kerberos-
authenticated NFSv4 in a near future.
However, I discovered that if I used their normal (instance-less)
principals, that would mess them up, making password authentication
impossible for some reason (btw., why is that?), so I created a
principal with the instance "autologin" for them.
However, UW-IMAP wouldn't authorize against this principal, although I
added it to their ~/.k5login, and I don't know if this is because it's
supposed to be like that with GSS-API or because UW-IMAP is miscoded.
I'm betting my money on the latter, considering how much I've had to
recode UW-IMAP in the past to make up for Kerberos mistakes in the code,
such as credential cleanup. Even in the case of the latter, though, I
don't know how to fix it, since I haven't been programming with GSS-API.

Sorry for the long post.

Fredrik Tolf




More information about the Kerberos mailing list