how to achieve what kinit does programmatically?

Douglas E. Engert deengert at anl.gov
Tue Jun 3 09:44:58 EDT 2003



Kent_Wu at trendmicro.com wrote:
> 
> I looked at the krb pam package but it looks like the function there would still prompt for user's passwd before it can get the TGT. The goal I want to achieve here is to do it without the prompt since I can get the user/passwd pair beforehand(thru proxy authorization maybe).
> 
>         So can krb5_get_init_creds_password() do the job without interaction? I've downloaded the MIT Kerberos package however it seems it doesn't have good documentation though. Does Heimdal provide better documentation?
> 


The PAM exit I have seen, passes in "pass" as the password, as the PAM modules do the
actually
prompting. Here is a code snipit for the MIT kinit.c which pases in a password read from
stdin.
It calls krb5_get_init_creds_password. You can use it as an example.

*** 776,783 ****
  
      switch (opts->action) {
      case INIT_PW:
        code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
!                                           0, kinit_prompter, 0,
                                            opts->starttime, 
                                            opts->service_name,
                                            &options);
--- 784,804 ----
  
      switch (opts->action) {
      case INIT_PW:
+       if (opts->pstdin) {
+               pstdin_pw_size = read(0,pstdin_pw,sizeof(pstdin_pw)-1);
+               if (pstdin_pw_size > 0) {
+                       if (pstdin_pw[pstdin_pw_size-1] == '\n') {
+                               pstdin_pw_size--;
+                       }
+                       pstdin_pw[pstdin_pw_size] = '\0';
+               } else {
+                       pstdin_pw_size = 0;
+               }
+       }
+ 
        code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
!                                           (pstdin_pw_size > 0)? pstdin_pw: 0, 
!                                               kinit_prompter, 0,
                                            opts->starttime, 
                                            opts->service_name,
                                            &options);

> Thx.
> 
> Kent
> 
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov]
> Sent: Friday, May 30, 2003 7:13 AM
> To: Kent Wu (RD-US); heimdal-discuss at sics.se
> Cc: Henry B. Hotz
> Subject: Re: how to achieve what kinit does programmatically?
> 
> Another example of getting a TGT from a password would be one of the
> many krb pam routines. Are you using the Solaris SEAM version of
> Kerberos, if so look at the Sun documentation. You can also look at
> the kinit source :-)
> 
> "Henry B. Hotz" wrote:
> >
> > At 11:53 AM -0700 5/29/03, Kent_Wu at trendmicro.com wrote:
> > >Hi:
> > >       I can use "kinit" to get a TGT from a win2000 KDC in my
> > >Solaris machine and I also assume there must be Kerberos API's to
> > >achieve the same thing programmatically in C. However I couldn't
> > >find too much info on this. Could anyone kindly tell me the correct
> > >way to do it?
> > >       Another odd thing is in my /usr/lib/krb5 folder I can find
> > >some kerberos libraries which contains some API symbols like
> > >krb5_init_context however I couldn't find any man page for this
> > >function. Do I miss something here or  I need to download separate
> > >Kerberos library to do this?
> >
> > This question properly should go to an MIT Kerberos list, but I've
> > been looking into it myself so here goes:
> >
> > OSX includes the latest MIT K5 release, however it does not include
> > the man pages or documentation.  What you need to do is go to the MIT
> > site and download the latest source distribution.  That will include,
> > among other things, some TeX documentation which is pretty complete.
> >
> > Now is it accurate?  I do know that it documents a
> > get-tgt-with-password type function that exists, but is different
> > from the function actually used by either NetBSD/Heimdal kinit or MIT
> > kinit (which are different from each other as well).  In other words
> > just because MIT has more documentation than Heimdal doesn't mean
> > it's better. |-(
> >
> > What I intend to do in my "copious free time" is try lifting code
> > from the MIT kinit source and seeing if I can get that to work.  I
> > was not successful in getting the documented routine to work.
> >
> > I also looked at the GSSAPI documentation from Sun and it appears
> > that that API assumes you already have a tgt (unless you're a
> > server).  I think SASL wraps GSSAPI so that wouldn't solve the
> > problem either.
> > --
> > The opinions expressed in this message are mine,
> > not those of Caltech, JPL, NASA, or the US Government.
> > Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
> 
> --
> 
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the krbdev mailing list