krb5_get_in_tkt_with_password problem

Terry Simons galimore at
Sun Jun 23 22:15:01 EDT 2002


I'm not really sure if this is exactly the place that I should send this 
message, but I thought I'd give it a shot.

I've been playing with the Authen::Krb5 perl module, and I'm trying to 
get an initial ticket with a script I wrote.

Now, I know that the perl mod isn't supported by MIT, but I think the 
issue I'm having is with the libs rather than the perl shim.

I'm using a function shim through perl (get_in_tkt_with_password) that 
calls krb5_get_in_tkt_with_password.

The perl function does some setup and uses the kerberos libraries to do 
the dirty work.

What I'm seeing is that if I use "" as my password, it prompts me.  This 
appears to be a standard kerberos response, according to an API doc I 


Attempts to get an initial ticket using the null-terminated string 
password. If
password is NULL, the password is read from the terminal using as a 
prompt the
globalname krb5_default_pwd_prompt1.

If I use an invalid string for my password, I see the following error 

"Decrypt integrity check failed"

That seems normal also...

The problem I am getting is that when I pass the VALID password to the 
perl function, I get the password prompt, as if I was sending a null 

I recompiled my libraries after modifying the krb5_default_pwd_prompt1 
prompt string... and verified that the function that is getting called 
when I send in my correct password, is the same function that is getting 
called when I send in no password.

So, here's what's happening:

A call with "" as the password yields:

Enter password (krb5_default_pwd_prompt1):

A call with an invalid password yields:

"Decrypt integrity check failed"

A call with the valid password yields:

Enter password (krb5_default_pwd_prompt1):

So... from observation, I *KNOW* that the API is getting called 
correctly, because an invalid password returns the "Decrypt integrity 
check failed" error message on an invalid password... so the server must 
be getting my password string, and for some reason it's prompting me on 
a valid password.

My question is, why do I get prompted when I send my valid password?

Is this something that the server can specify?  (I.E. If a password is 
send by the API, prompt them anyway.)
Is this possibly an error in the perl module?  It doesn't seem like it...
Is this possibly an API bug?
Is this something I can turn off when I build my libraries?

FYI, I'm using version 1.2.5, and I've tried version 1.1.1, both yield 
the same results.


Terry Simons
Lead Network Assistant
Marriott Library, University of Utah

More information about the krbdev mailing list