Programming in Kerberos

[Wyllys Ingersoll]

Russ Allbery wrote:

>  Wyllys Ingersoll <wyllys.ingersoll at sun.com> writes:
>
> > Ideally, you wouldn't use the KRB5 APIs at all, you would use
> > GSSAPI instead - it is standard and portable across implementations
> > and platforms.
>
>
>  Hm, is there a way to use GSSAPI to do password verification? It's
>  annoying that one has to do this, but alas it's still fairly common
>  to have to send a Kerberos username/password pair over a TLS
>  connection to be verified on the server. GSSAPI client support is
>  slow to materialize.
>

Unfortunately, not in a standard way.  In Solaris, we have implemented
a "gss_acquire_cred_with_password" function that does what you are asking
for, but it is not part of other GSSAPI implementations as far as I know.

There are proposals in the KITTEN WG for extending GSSAPI to do
things like this in the next spec, though.

-Wyllys