pam-krb5 3.5 released
Russ Allbery
rra at stanford.edu
Fri Jun 1 18:41:23 EDT 2007
Markus Moeller <huaraz at moeller.plus.com> writes:
> From: "Russ Allbery" <rra at stanford.edu>
>> I'm pretty sure this is not the case. The PAM module just calls
>> krb5_verify_init_creds, and at least in the MIT implementation, it uses
>> whatever key it can find in the keytab to do the verification. It
>> doesn't have to use a host key.
> Not really. If you look at the MIT source you will see.
> krb5_verify_init_creds(krb5_context context,
> krb5_creds *creds,
> krb5_principal server_arg,
> krb5_keytab keytab_arg,
> krb5_ccache *ccache_arg,
> krb5_verify_init_creds_opt *options)
> .
> .
> .
> .
> if (server_arg) {
> server = server_arg;
> } else {
> if ((ret = krb5_sname_to_principal(context, NULL, NULL,
> KRB5_NT_SRV_HST, &server)))
> goto cleanup;
> }
> server_tag is the 3 argument which you set to NULL and
> krb5_sname_to_principal with NULL uses the host principal. So I need the
> option to set the server_tag.
Oh, bleh. Yeah, I misread that code; I thought it was doing something
smarter. Okay, added to the to-do list. It shouldn't be too difficult.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list