krb5_rd_cred() ?

Jason Gerfen jason.gerfen at scl.utah.edu
Tue Nov 30 12:22:08 EST 2004 

Ken Hornstein wrote:

>>I really appreciate all of your help, just so I understand the steps I 
>>need to take next:
>>
>>Initialize the error codes for the kerberos libs.
>>    
>>
>
>Just FYI; if you're calling krb5_init_ets(), you shouldn't.  In the "old
>days", you had to call this, but this is now performed by krb5_init_context().
>
>  
>
>>being reading in my configuration options and setting them
>>    
>>
>
>This is of course application-dependent.
>
>  
>
>>begin authentication with username & password as well as using my stored 
>>config options to do it properly
>>    
>>
>
>Weeeelll ... this depends.  In the majority of "true" Kerberized applications,
>you never deal with the user's password at all.
>
>  
>
I am adding some functionality to an existing pam module (pam_krb5afs, 
which is beyond the scope of this list) in which I do need to send the 
users password off to the kdc.

>>do verification on ticket upon successful authentication
>>store ticket information until user logs out
>>    
>>
>
>In terms of these items ... what exactly are you doing?  I think that
>might help us figure out which functions you need to call.
>
>  
>
Well from what I understand from other kerberos documentation I have 
read I need to validate the responses from the server and create a tgt 
and an entry in a keytab file.  I guess what I really need to brush up 
on is the functions which will assist me in 1) validating the 
information in the response, 2) look for an existing entry in a keytab 
file, 3) create an entry in the keytab file, 4) create a valid ticket, 
3) validate the ticket.  I hope those steps are accurate.  "If" they are 
I would need to call the folllwing functions to do this:

calls to various krb5_get_init_creds_x to set my system specific options

krb5_init_secure_context() - to initialize kerberos libs with handle

krb5_kt_default() - return handle to keytab file
krb5_kt_get_entry() - search for existing keytab entry (if credentials 
exist make call to krb5_get_credentials_validate() )
krb5_add_entry() - add entry to keytab
krb5_kt_close() - close the keytab

krb5_get_init_creds_password() - to authenticate the user
krb5_get_validated_creds() - check response from 
krb5_get_init_creds_password() call (is this where I get data to make my 
clockskew checks?)

make calls my krb5_free_x functions to free up any routines i used

If this is inaccurate please let me know.  I really appreciate your 
input as I am still new to the Kerberos process and protocol.



>--Ken
>_______________________________________________
>krbdev mailing list             krbdev at mit.edu
>https://mailman.mit.edu/mailman/listinfo/krbdev
>  
>


-- 
Jason Gerfen
jason.gerfen at scl.utah.edu

"And remember... If the ladies
 don't find you handsome, they
 should at least find you handy..."
             ~The Red Green show

More information about the krbdev mailing list