krb5_rd_cred() ?

Ken Hornstein kenh at
Tue Nov 30 12:38:56 EST 2004

>I am adding some functionality to an existing pam module (pam_krb5afs, 
>which is beyond the scope of this list) in which I do need to send the 
>users password off to the kdc.

Okay, fair enough.

>Well from what I understand from other kerberos documentation I have 
>read I need to validate the responses from the server and create a tgt 
>and an entry in a keytab file.  I guess what I really need to brush up 
>on is the functions which will assist me in 1) validating the 
>information in the response, 2) look for an existing entry in a keytab 
>file, 3) create an entry in the keytab file, 4) create a valid ticket, 
>3) validate the ticket.  I hope those steps are accurate.  "If" they are 
>I would need to call the folllwing functions to do this:
>calls to various krb5_get_init_creds_x to set my system specific options
>krb5_init_secure_context() - to initialize kerberos libs with handle

FYI; just call krb5_init_context(); I doubt there is a reason to use
krb5_init_secure_context in this case.

As for the rest ... you could make your whole life simpler if you just
call krb5_verify_init_creds() :-)

>krb5_kt_default() - return handle to keytab file
>krb5_kt_get_entry() - search for existing keytab entry (if credentials 
>exist make call to krb5_get_credentials_validate() )
>krb5_add_entry() - add entry to keytab
>krb5_kt_close() - close the keytab

Trust me, you _don't_ want to add anything to the keytab (at least, as
I understand what you're doing).

>krb5_get_init_creds_password() - to authenticate the user
>krb5_get_validated_creds() - check response from 

I don't think krb5_get_validated_creds() does what you think it does.
In fact, I'm 99% sure of it.

>krb5_get_init_creds_password() call (is this where I get data to make my 
>clockskew checks?)

As we talked about, you don't need to do any clockskew checks; the
library does this for you.

I think what you want is:

- krb5_init_context()
- krb5_cc_default()
- krb5_get_init_creds_password()
- krb5_kt_default()
- krb5_verify_init_creds()

And probably a krb5_parse_name() and krb5_sname_to_principal() in there
as well for the username and ap_req principal.


More information about the krbdev mailing list