Will the Real get-a-tgt-with-a-password Function Please Stand Up?

Roland Dowdeswell elric at imrryr.org
Wed Jun 8 16:08:28 EDT 2005

On 1117819977 seconds since the Beginning of the UNIX epoch
Simon Wilkinson wrote:
>Henry B. Hotz wrote:
>> What's the "right", implementation-independent way to do that?  Is the  
>> answer different if you are just checking passwords and don't need to  
>> keep the tgt?
>Implementation independence? Kerberos libraries? You'll be lucky!
>The conclusion that was reached whilst the OpenSSH krb5 code was being 
>reviewed was something akin to the following (for the MIT code):
>problem = krb5_get_init_creds_password(krb5_ctx, &creds,
>             krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
>problem = krb5_sname_to_principal(krb5_ctx, NULL, NULL,
>             KRB5_NT_SRV_HST, &server);
>problem = krb5_verify_init_creds(krb5_ctx, &creds, server,
>             NULL, NULL, NULL);
>krb5_free_principal(krb5_ctx, server);

If you are not keeping the TGT, then you should obtain a service ticket
for a key which is in your keytab in the krb5_get_init_creds_password()
stage rather than a TGT.  This will save you an unnecessary round
trip with the KDC.

Something like:

	asprintf(&sprinc, "host/%s", gethostname());
	krb5_get_init_creds_password(ctx, &creds, user, password, NULL,
	    NULL, 0, sprinc, NULL);

    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/

More information about the krbdev mailing list