pam-krb5 3.5 released
Markus Moeller
huaraz at moeller.plus.com
Sun Jun 3 08:32:27 EDT 2007
"Russ Allbery" <rra at stanford.edu> wrote in message
news:87hcprz4a4.fsf at windlord.stanford.edu...
> Markus Moeller <huaraz at moeller.plus.com> writes:
>> From: "Russ Allbery" <rra at stanford.edu>
>
>>> I'm pretty sure this is not the case. The PAM module just calls
>>> krb5_verify_init_creds, and at least in the MIT implementation, it uses
>>> whatever key it can find in the keytab to do the verification. It
>>> doesn't have to use a host key.
>
>> Not really. If you look at the MIT source you will see.
>
>> krb5_verify_init_creds(krb5_context context,
>> krb5_creds *creds,
>> krb5_principal server_arg,
>> krb5_keytab keytab_arg,
>> krb5_ccache *ccache_arg,
>> krb5_verify_init_creds_opt *options)
>> .
>> .
>> .
>> .
>> if (server_arg) {
>> server = server_arg;
>> } else {
>> if ((ret = krb5_sname_to_principal(context, NULL, NULL,
>> KRB5_NT_SRV_HST, &server)))
>> goto cleanup;
>> }
>
>> server_tag is the 3 argument which you set to NULL and
>> krb5_sname_to_principal with NULL uses the host principal. So I need the
>> option to set the server_tag.
>
> Oh, bleh. Yeah, I misread that code; I thought it was doing something
> smarter. Okay, added to the to-do list. It shouldn't be too difficult.
>
The ideal would be to use something similar to GSS_C_NO_NAME (as you I think
intended). so that any keytab entry could be used.
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Markus
More information about the Kerberos
mailing list