Will the Real get-a-tgt-with-a-password Function Please Stand Up?
simon at sxw.org.uk
Fri Jun 3 13:32:57 EDT 2005
Henry B. Hotz wrote:
> What's the "right", implementation-independent way to do that? Is the
> answer different if you are just checking passwords and don't need to
> keep the tgt?
Implementation independence? Kerberos libraries? You'll be lucky!
The conclusion that was reached whilst the OpenSSH krb5 code was being
reviewed was something akin to the following (for the MIT code):
problem = krb5_get_init_creds_password(krb5_ctx, &creds,
krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
problem = krb5_sname_to_principal(krb5_ctx, NULL, NULL,
problem = krb5_verify_init_creds(krb5_ctx, &creds, server,
NULL, NULL, NULL);
problem = krb5_verify_user(krb5_ctx, krb5_user,
ccache, password, 1, NULL);
(which also populates a ccache for you, and calls krb5_kuserok)
Note that in the MIT case just calling get_init_creds_password() isn't
sufficient to verify that a user has correctly authenticated - you need
to use verify_init_creds() as well, in order to avoid KDC replacement
attacks. Oh, and obviously the error code returned should be checked
after every call.
Hope that helps. If you want to look further - the code is in
auth-krb5.c in the OpenSSH portable distribution.
More information about the krbdev