Will the Real get-a-tgt-with-a-password Function Please Stand Up?
Donn Cave
donn at u.washington.edu
Fri Jun 3 16:26:46 EDT 2005
On Jun 3, 2005, at 10:32 AM, Simon Wilkinson wrote:
> Henry B. Hotz wrote:
>> What's the "right", implementation-independent way to do that? Is
>> the answer different if you are just checking passwords and don't
>> need to keep the tgt?
>
> Implementation independence? Kerberos libraries? You'll be lucky!
>
> The conclusion that was reached whilst the OpenSSH krb5 code was
> being reviewed was something akin to the following (for the MIT code):
>
> problem = krb5_get_init_creds_password(krb5_ctx, &creds,
> krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
> problem = krb5_sname_to_principal(krb5_ctx, NULL, NULL,
> KRB5_NT_SRV_HST, &server);
> problem = krb5_verify_init_creds(krb5_ctx, &creds, server,
> NULL, NULL, NULL);
> krb5_free_principal(krb5_ctx, server);
>
> Heimdal does:
>
> problem = krb5_verify_user(krb5_ctx, krb5_user,
> ccache, password, 1, NULL);
> (which also populates a ccache for you, and calls krb5_kuserok)
>
> Note that in the MIT case just calling get_init_creds_password()
> isn't sufficient to verify that a user has correctly authenticated
> - you need to use verify_init_creds() as well, in order to avoid
> KDC replacement attacks. Oh, and obviously the error code returned
> should be checked after every call.
>
> Hope that helps. If you want to look further - the code is in auth-
> krb5.c in the OpenSSH portable distribution.
I'm looking at an older version, but I don't see any
krb5_free_cred_contents() afterwards?
Anyway, just wanted to point out that where you don't
need the credentials, at least with MIT I use
krb5_cc_resolve(krb5_ctx, "MEMORY:xyz", &ccache),
plus a krb5_cc_initialize, and then use that krb5_ccache.
I think this would be a minor optimization, but it's good
when /tmp fills up or something.
Donn Cave, donn at u.washington.edu
More information about the krbdev
mailing list