hartmans at MIT.EDU
Tue Nov 30 13:09:31 EST 2004
>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
>> I am adding some functionality to an existing pam module
>> (pam_krb5afs, which is beyond the scope of this list) in which
>> I do need to send the users password off to the kdc.
Ken> Okay, fair enough.
>> Well from what I understand from other kerberos documentation I
>> have read I need to validate the responses from the server and
>> create a tgt and an entry in a keytab file. I guess what I
>> really need to brush up on is the functions which will assist
>> me in 1) validating the information in the response, 2) look
>> for an existing entry in a keytab file, 3) create an entry in
>> the keytab file, 4) create a valid ticket, 3) validate the
>> ticket. I hope those steps are accurate. "If" they are I
>> would need to call the folllwing functions to do this:
>> calls to various krb5_get_init_creds_x to set my system
>> specific options
>> krb5_init_secure_context() - to initialize kerberos libs with
Ken> FYI; just call krb5_init_context(); I doubt there is a reason
Ken> to use krb5_init_secure_context in this case.
No, you actually do want secure context here. Picture something like
su being pam authenticated with KRB5_KTNAME set.
More information about the krbdev