Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Donn Cave donn at u.washington.edu
Fri Jun 3 16:26:46 EDT 2005

On Jun 3, 2005, at 10:32 AM, Simon Wilkinson wrote:
> Henry B. Hotz wrote:
>> What's the "right", implementation-independent way to do that?  Is  
>> the  answer different if you are just checking passwords and don't  
>> need to  keep the tgt?
> Implementation independence? Kerberos libraries? You'll be lucky!
> The conclusion that was reached whilst the OpenSSH krb5 code was  
> being reviewed was something akin to the following (for the MIT code):
> problem = krb5_get_init_creds_password(krb5_ctx, &creds,
>             krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
> problem = krb5_sname_to_principal(krb5_ctx, NULL, NULL,
>             KRB5_NT_SRV_HST, &server);
> problem = krb5_verify_init_creds(krb5_ctx, &creds, server,
>             NULL, NULL, NULL);
> krb5_free_principal(krb5_ctx, server);
> Heimdal does:
> problem = krb5_verify_user(krb5_ctx, krb5_user,
>             ccache, password, 1, NULL);
> (which also populates a ccache for you, and calls krb5_kuserok)
> Note that in the MIT case just calling get_init_creds_password()  
> isn't sufficient to verify that a user has correctly authenticated  
> - you need to use verify_init_creds() as well, in order to avoid  
> KDC replacement attacks. Oh, and obviously the error code returned  
> should be checked after every call.
> Hope that helps. If you want to look further - the code is in auth- 
> krb5.c in the OpenSSH portable distribution.

I'm looking at an older version, but I don't see any
krb5_free_cred_contents() afterwards?

Anyway, just wanted to point out that where you don't
need the credentials, at least with MIT I use
krb5_cc_resolve(krb5_ctx, "MEMORY:xyz", &ccache),
plus a krb5_cc_initialize, and then use that krb5_ccache.
I think this would be a minor optimization, but it's good
when /tmp fills up or something.

     Donn Cave, donn at u.washington.edu

More information about the krbdev mailing list