Kerberos API - enhancing program to *force* authentication

Matt Garman matthew.garman at gmail.com
Wed Feb 3 11:45:09 EST 2016


I'd like to integrate Kerberos into an existing application.  In
particular, when this application performs certain operations, I want
to explicitly force the user to re-authenticate.  To be clear, the
user will generally already have a valid Kerberos ticket.  Despite
that, I want to force him to re-enter his password at certain points
in this application.  In other words, I don't care if he already has a
ticket or cached credentials, I (loosely speaking) want to the do the
equivalent of kinit followed by a kdestroy.

I assume this is fairly straightforward.  I'm starting to look at API
examples now (including the source for kinit/kdestroy).  At this point
I'm just looking for any thoughts on why I might be going down a bad
path or any pitfalls I should keep in mind.

I do have a couple slightly specific questions at this point:

    - Will forcing the retrieval of a new ticket interfere in any way
with the user's current credentials (or his credentials cache)?  The
main reason we currently have Kerberos implemented is for Kerberized
NFSv4 home directories (i.e. sec=krb5p NFS mount option).  So as I
suggested above, the user will already have valid Kerberos ticket and
credentials cache (otherwise they'll be "permission denied" out of
their own home dir).  I don't want to interfere with those, just
authenticate that the person using this program is really who he says
he is.

    - I'm just getting started with familiarizing myself with the
Kerberos API, but already I see that's a fairly low-level way to
achieve my goal.  I.e., some of my reading suggests using GSS-API,
SASL+TSL, etc might be a more "generic" approach... any thoughts on
this, given my use case?

Just to give a little more insight to our environment: this is a pure
Linux environment, in particular CentOS (i.e. RedHat Enterprise Linux)
5/6/7.  RHEL ships with MIT Kerberos.

Lastly, FWIW, the program we want to integrate with Kerberos is tmux
(same concept as GNU Screen).  tmux allows terminals to be "detached"
and "reattached" (e.g. detach, go home, login remotely, attach to get
your exact same terminal(s) back).  What we want is to force a
Kerberos authentication whenever an "attach" is attempted.  This is to
prevent admins (i.e. root user) from su'ing to that user, then
attaching to his console (and why we don't want to use existing
credentials, but force password entry).

Thanks!


More information about the Kerberos mailing list