query kerberos with C?

Russ Allbery rra at stanford.edu
Sat Jul 21 13:57:07 EDT 2007


Rainer Sigl <sigl at mpe.mpg.de> writes:

> I'm rel. new with kerberos beside using it with afs.
> My question: are there easy c-interfaces to ask a kerberos server for 
> username, password or setting up new users on keberos?

It's impossible to ask a Kerberos server for someone's username and
password.  The Kerberos server doesn't store that information.  It only
stores encryption keys generated from the password, and from which one
cannot, in general, recover the initial password.

You can ask the Kerberos server to validate a username and password.  You
do this by obtaining a krbtgt ticket (with krb5_get_init_creds_password)
and then verify against a local keytab (with krb5_verify_init_creds).

There is, unfortunately, no C API for setting up new users in MIT
Kerberos.  You have to wrap something around the kadmin or kadmin.local
programs.  I believe Heimdal does provide a C API to the administrative
functions.

There is a C API for changing passwords.

> In my special case I have user database on postgresql. the stored 
> usernames, passwords which are till now used for authorizing by our 
> email server. Now I wish to have the same passwords on my postgresql 
> database and our afs server. This could work for example by writing 
> c-functions on postgresql that fetches the corresponding password for a 
> username and can create new user entries on kerberos.
> Is there any way to this?

You would either need to start using Kerberos authentication with
PostgreSQL, if it supports that (I don't know enough about PostgreSQL to
tell you), or you're going to have to write custom software that does
this, probably by wrapping calls to the kadmin program.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list