krb5_verify_user

Imanuel Greenfeld imanuel.greenfeld1 at ntlworld.com
Tue Jan 9 15:23:41 EST 2018 

Thank you Ben.

I managed to use krb5_init_creds_password(), krb_verify_init_creds() and
krb5_get_credetials() and each returned 0 so I'm assuming that's ok.

How do I now send a message to the server ?  I found krb5_sendauth() - do
you have a simple example how to use this function ?

I did :-
Krb5_sendauth(context, &auth_context, NULL, "Kerberos v5", client_princ,
server_princ, AP_OPTS_MUTUAL_REQUIRED, &cksum_data, &creds, ccache,
&err_ret, &rep_ret, &out_cred);

I'm getting : a core dump - I'm not sure if it's to do with me passing NULL
to the file descriptor.  

Do you have a simple example how to use this function provided
krb5_init_creds_password(), krb_verify_init_creds() and
krb5_get_credetials() are used correctly ? 

Also, for the original task, once Krb5_sendauth() goes through the Kerberos
authentication will I be able to send JSON messages ?

Can you help please ?

Many thanks for your assistance.

Imanuel.


-----Original Message-----
From: Benjamin Kaduk [mailto:kaduk at mit.edu] 
Sent: 09 January 2018 00:15
To: Imanuel Greenfeld <imanuel.greenfeld1 at ntlworld.com>
Cc: kerberos at mit.edu
Subject: Re: krb5_verify_user

On Mon, Jan 08, 2018 at 09:49:06PM +0000, Imanuel Greenfeld wrote:
> Hello,
> 
>  
> 
> Hope you're well.
> 
>  
> 
> Happy new year.
> 
>  
> 
> I am looking for krb5_verify_user function under krb5/krb5.h and in 
> fact anywhere but cannot find it.
> 
>  
> 
> I know it's not recommended to use it with the password, but I want to 
> see if I can prove the point.
> 
>  
> 
> I am therefore getting compilation error for the function needing a 
> prototype.
> 
>  
> 
> I'm using 1.16 and also tried on 1.15.2
> 
>  
> 
> Any ideas please ?

krb5_verify_user() is a function in the Heimdal implementation of Kerberos,
but is not present in MIT krb5.

Upon cursory examination, it seems that
krb5_get_init_creds_password() and krb5_verify_init_creds() together might
be a suitable replacement.  Note that it requires the caller to have access
to a service keytab (and the principal name must be specified if it is not
host/<localhost>).

-Ben

More information about the Kerberos mailing list