Will the Real get-a-tgt-with-a-password Function Please Stand Up?
Sam Hartman
hartmans at MIT.EDU
Sat Jun 4 18:21:06 EDT 2005
>>>>> "Henry" == Henry B Hotz <hotz at jpl.nasa.gov> writes:
Henry> On Jun 3, 2005, at 10:51 AM, Sam Hartman wrote:
>> I believe both MIT and Heimdal support krb5_get_init_creds and
>> krb5_verify_init_creds. Heimdal has an additional convenience
>> function.
>>
>> Note that calling verify_init_creds is mandatory for secure
>> operation if you are checking for local access.
Henry> Does verify_init_creds call k5userOK (which IIRC is where
Henry> the check of ~/.k5login file happens)?
No, verify_init_creds is part of authentication; it makes sure the KDC
is the right KDC. k5userok is part of authorization; it makes sure
the authenticated user is allowed to use the account.
More information about the krbdev
mailing list