Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Nicolas Williams Nicolas.Williams at sun.com
Sat Jun 4 18:31:27 EDT 2005

On Sat, Jun 04, 2005 at 01:16:43PM -0700, Henry B. Hotz wrote:
> On Jun 3, 2005, at 10:51 AM, Sam Hartman wrote:
> >I believe both MIT and Heimdal support krb5_get_init_creds and
> >krb5_verify_init_creds.  Heimdal has an additional convenience
> >function.
> >
> >Note that calling verify_init_creds is mandatory for secure operation
> >if you are checking for local access.
> Does verify_init_creds call k5userOK (which IIRC is where the check of  
> ~/.k5login file happens)?

No -- it verifies the TGT obtained with krb5_get_init_creds*() by
getting a service ticket for a principal for which the system^Wcaller
has a keytab entry.  It's not an authorization function.

> The application is on a Solaris server where the users in question  
> don't have local accounts.  If I want to use the installed Sun Kerberos  
> do I have an alternative to using PAM?

What version of Solaris are you using?  Why wouldn't you want to use the
stock pam_krb5?


More information about the krbdev mailing list