Will the Real get-a-tgt-with-a-password Function Please Stand Up?
Nicolas Williams
Nicolas.Williams at sun.com
Sat Jun 4 18:31:27 EDT 2005
On Sat, Jun 04, 2005 at 01:16:43PM -0700, Henry B. Hotz wrote:
>
> On Jun 3, 2005, at 10:51 AM, Sam Hartman wrote:
>
> >I believe both MIT and Heimdal support krb5_get_init_creds and
> >krb5_verify_init_creds. Heimdal has an additional convenience
> >function.
> >
> >Note that calling verify_init_creds is mandatory for secure operation
> >if you are checking for local access.
>
> Does verify_init_creds call k5userOK (which IIRC is where the check of
> ~/.k5login file happens)?
No -- it verifies the TGT obtained with krb5_get_init_creds*() by
getting a service ticket for a principal for which the system^Wcaller
has a keytab entry. It's not an authorization function.
> The application is on a Solaris server where the users in question
> don't have local accounts. If I want to use the installed Sun Kerberos
> do I have an alternative to using PAM?
What version of Solaris are you using? Why wouldn't you want to use the
stock pam_krb5?
Nico
--
More information about the krbdev
mailing list