noob question on where to start with Kerberos

Bryan Boone bryan-boone at
Mon Jul 27 18:07:32 EDT 2009

Hi everyone I have a noob question for ya.


I need to develop a website for a company that uses kerberos login, the web server resides on a different server than the kerberos server.  Unfortunatly I cannot use the built in PHP functions for kerberos, so I need to write my own C kerberos client as a PHP extension.  Also to eliminate possible man-in-the-middle attacks, I need to have the keytab file manually uploaded to the web server.


So this web page will simply authenticate the users username and password and then pull that users group name from the kerberos server (while having the keytab on the web server).  There is no need to kerberize any application here.  Also I will not be needing to cache tickets or pass any tickets here.  I will use PHP sessions for the website.  I just need the authentication side of kerberos once per user login on the website.


I read the O'Reilly Kerberos book and still have some questions.


My question is, what methods are best for accomplishing my task.  Can this be accomplished with the pam_krb5 api, the SASL for GSSAPI, or do I need to stick with native GSSAPI?  Which one would be easier for a noob?



Windows Live™ SkyDrive™: Store, access, and share your photos. See how.

More information about the Kerberos mailing list