Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Simon Wilkinson simon at sxw.org.uk
Fri Jun 3 13:32:57 EDT 2005

Henry B. Hotz wrote:

> What's the "right", implementation-independent way to do that?  Is the  
> answer different if you are just checking passwords and don't need to  
> keep the tgt?

Implementation independence? Kerberos libraries? You'll be lucky!

The conclusion that was reached whilst the OpenSSH krb5 code was being 
reviewed was something akin to the following (for the MIT code):

problem = krb5_get_init_creds_password(krb5_ctx, &creds,
             krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
problem = krb5_sname_to_principal(krb5_ctx, NULL, NULL,
             KRB5_NT_SRV_HST, &server);
problem = krb5_verify_init_creds(krb5_ctx, &creds, server,
             NULL, NULL, NULL);
krb5_free_principal(krb5_ctx, server);

Heimdal does:

problem = krb5_verify_user(krb5_ctx, krb5_user,
             ccache, password, 1, NULL);
(which also populates a ccache for you, and calls krb5_kuserok)

Note that in the MIT case just calling get_init_creds_password() isn't 
sufficient to verify that a user has correctly authenticated - you need 
to use verify_init_creds() as well, in order to avoid KDC replacement 
attacks. Oh, and obviously the error code returned should be checked 
after every call.

Hope that helps. If you want to look further - the code is in 
auth-krb5.c in the OpenSSH portable distribution.



More information about the krbdev mailing list