Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Sam Hartman hartmans at MIT.EDU
Sat Jun 4 18:21:06 EDT 2005

>>>>> "Henry" == Henry B Hotz <hotz at jpl.nasa.gov> writes:

    Henry> On Jun 3, 2005, at 10:51 AM, Sam Hartman wrote:

    >> I believe both MIT and Heimdal support krb5_get_init_creds and
    >> krb5_verify_init_creds.  Heimdal has an additional convenience
    >> function.
    >> Note that calling verify_init_creds is mandatory for secure
    >> operation if you are checking for local access.

    Henry> Does verify_init_creds call k5userOK (which IIRC is where
    Henry> the check of ~/.k5login file happens)?

No, verify_init_creds is part of authentication; it makes sure the KDC
is the right KDC.  k5userok is part of authorization; it makes sure
the authenticated user is allowed to use the account.

More information about the krbdev mailing list