krb5_rd_cred() ?

Derrick Schommer dschommer at
Tue Nov 30 13:05:45 EST 2004

> - krb5_init_context()
> - krb5_cc_default()
> - krb5_get_init_creds_password()
> - krb5_kt_default()
> - krb5_verify_init_creds()

Yeah, those are good.  Most of the hard work is handled within those
calls, no point in making your own client doing more work then is
needed.  Maybe a krb5_cc_initialize(), krb5_cc_store_cred(), if you'd
like to store some credentials in a cache file.


-----Original Message-----
From: Ken Hornstein [mailto:kenh at] 
Sent: Dienstag, 30. November 2004 12:39
To: krbdev at
Subject: Re: krb5_rd_cred() ? 

>I am adding some functionality to an existing pam module (pam_krb5afs, 
>which is beyond the scope of this list) in which I do need to send the 
>users password off to the kdc.

Okay, fair enough.

>Well from what I understand from other kerberos documentation I have 
>read I need to validate the responses from the server and create a tgt 
>and an entry in a keytab file.  I guess what I really need to brush up 
>on is the functions which will assist me in 1) validating the 
>information in the response, 2) look for an existing entry in a keytab 
>file, 3) create an entry in the keytab file, 4) create a valid ticket, 
>3) validate the ticket.  I hope those steps are accurate.  "If" they
>I would need to call the folllwing functions to do this:
>calls to various krb5_get_init_creds_x to set my system specific
>krb5_init_secure_context() - to initialize kerberos libs with handle

FYI; just call krb5_init_context(); I doubt there is a reason to use
krb5_init_secure_context in this case.

As for the rest ... you could make your whole life simpler if you just
call krb5_verify_init_creds() :-)

>krb5_kt_default() - return handle to keytab file
>krb5_kt_get_entry() - search for existing keytab entry (if credentials 
>exist make call to krb5_get_credentials_validate() )
>krb5_add_entry() - add entry to keytab
>krb5_kt_close() - close the keytab

Trust me, you _don't_ want to add anything to the keytab (at least, as
I understand what you're doing).

>krb5_get_init_creds_password() - to authenticate the user
>krb5_get_validated_creds() - check response from 

I don't think krb5_get_validated_creds() does what you think it does.
In fact, I'm 99% sure of it.

>krb5_get_init_creds_password() call (is this where I get data to make
>clockskew checks?)

As we talked about, you don't need to do any clockskew checks; the
library does this for you.

I think what you want is:

- krb5_init_context()
- krb5_cc_default()
- krb5_get_init_creds_password()
- krb5_kt_default()
- krb5_verify_init_creds()

And probably a krb5_parse_name() and krb5_sname_to_principal() in there
as well for the username and ap_req principal.

krbdev mailing list             krbdev at 
DISCLAIMER:   The information contained in this e-mail is confidential and is intended solely for the review of the named addressee, and in conjunction with specific Acopia Networks business.  Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you are unable to treat this information accordingly, or are not the intended recipient, please notify us immediately by returning the e-mail to the originator.  

More information about the krbdev mailing list