kenh at cmf.nrl.navy.mil
Tue Nov 30 12:38:56 EST 2004
>I am adding some functionality to an existing pam module (pam_krb5afs,
>which is beyond the scope of this list) in which I do need to send the
>users password off to the kdc.
Okay, fair enough.
>Well from what I understand from other kerberos documentation I have
>read I need to validate the responses from the server and create a tgt
>and an entry in a keytab file. I guess what I really need to brush up
>on is the functions which will assist me in 1) validating the
>information in the response, 2) look for an existing entry in a keytab
>file, 3) create an entry in the keytab file, 4) create a valid ticket,
>3) validate the ticket. I hope those steps are accurate. "If" they are
>I would need to call the folllwing functions to do this:
>calls to various krb5_get_init_creds_x to set my system specific options
>krb5_init_secure_context() - to initialize kerberos libs with handle
FYI; just call krb5_init_context(); I doubt there is a reason to use
krb5_init_secure_context in this case.
As for the rest ... you could make your whole life simpler if you just
call krb5_verify_init_creds() :-)
>krb5_kt_default() - return handle to keytab file
>krb5_kt_get_entry() - search for existing keytab entry (if credentials
>exist make call to krb5_get_credentials_validate() )
>krb5_add_entry() - add entry to keytab
>krb5_kt_close() - close the keytab
Trust me, you _don't_ want to add anything to the keytab (at least, as
I understand what you're doing).
>krb5_get_init_creds_password() - to authenticate the user
>krb5_get_validated_creds() - check response from
I don't think krb5_get_validated_creds() does what you think it does.
In fact, I'm 99% sure of it.
>krb5_get_init_creds_password() call (is this where I get data to make my
As we talked about, you don't need to do any clockskew checks; the
library does this for you.
I think what you want is:
And probably a krb5_parse_name() and krb5_sname_to_principal() in there
as well for the username and ap_req principal.
More information about the krbdev