krb5_verify_user

Imanuel Greenfeld imanuel.greenfeld1 at ntlworld.com
Tue Jan 16 16:28:02 EST 2018 

Thank you Simo.

Can you please tell me how to check if my environment is Kerberos compliant ?

I'm working on Sun Solaris 10 and I can do kinit, klist, kdestroy, there is a /etc/krb5/krb5.conf 

Does this tell me if the environment has been Kerborized ?

Thank you

Imanuel.



-----Original Message-----
From: Simo Sorce [mailto:simo at redhat.com] 
Sent: 16 January 2018 21:08
To: Imanuel Greenfeld <imanuel.greenfeld1 at ntlworld.com>; 'Benjamin Kaduk' <kaduk at mit.edu>
Cc: kerberos at mit.edu
Subject: Re: krb5_verify_user

If you need to use kerberos over HTTP you should probably use at existing projects and reuse those, look for mod_auth_gssapi (C module for Apache) or request-gssapi (python module that uses python-gssapi for python-requests) and other similar efforts.

They all implement the SPNEGO RFCs: 4178, 4559 for example.

HTH,
Simo.

On Tue, 2018-01-16 at 19:06 +0000, Imanuel Greenfeld wrote:
> Hello Ben,
> 
> Thanks for your advice.
> 
> I understand it much better now.
> 
> I'm getting a token back from the KDC - it's huge encrypted string.
> 
> I need to incorporate that into my HTTP request.  I'm thinking whether 
> it I'll get through the authentication by adding this to HTTP header.
> 
> The HTTP headers I looked at had :- Authorization: Basic <token>
> 
> For example : Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1
> 
> Any ideas how I can do that ?  Should I treat is as a string ?
> 
> Thanks
> 
> Imanuel.
> 
> 
>  
> 
> -----Original Message-----
> From: Benjamin Kaduk [mailto:kaduk at mit.edu]
> Sent: 09 January 2018 00:15
> To: Imanuel Greenfeld <imanuel.greenfeld1 at ntlworld.com>
> Cc: kerberos at mit.edu
> Subject: Re: krb5_verify_user
> 
> On Mon, Jan 08, 2018 at 09:49:06PM +0000, Imanuel Greenfeld wrote:
> > Hello,
> > 
> >  
> > 
> > Hope you're well.
> > 
> >  
> > 
> > Happy new year.
> > 
> >  
> > 
> > I am looking for krb5_verify_user function under krb5/krb5.h and in 
> > fact anywhere but cannot find it.
> > 
> >  
> > 
> > I know it's not recommended to use it with the password, but I want 
> > to see if I can prove the point.
> > 
> >  
> > 
> > I am therefore getting compilation error for the function needing a 
> > prototype.
> > 
> >  
> > 
> > I'm using 1.16 and also tried on 1.15.2
> > 
> >  
> > 
> > Any ideas please ?
> 
> krb5_verify_user() is a function in the Heimdal implementation of 
> Kerberos, but is not present in MIT krb5.
> 
> Upon cursory examination, it seems that
> krb5_get_init_creds_password() and krb5_verify_init_creds() together 
> might be a suitable replacement.  Note that it requires the caller to 
> have access to a service keytab (and the principal name must be 
> specified if it is not host/<localhost>).
> 
> -Ben
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

More information about the Kerberos mailing list