Will the Real get-a-tgt-with-a-password Function Please Stand Up?
Roland Dowdeswell
elric at imrryr.org
Wed Jun 8 16:08:28 EDT 2005
On 1117819977 seconds since the Beginning of the UNIX epoch
Simon Wilkinson wrote:
>
>Henry B. Hotz wrote:
>
>> What's the "right", implementation-independent way to do that? Is the
>> answer different if you are just checking passwords and don't need to
>> keep the tgt?
>
>Implementation independence? Kerberos libraries? You'll be lucky!
>
>The conclusion that was reached whilst the OpenSSH krb5 code was being
>reviewed was something akin to the following (for the MIT code):
>
>problem = krb5_get_init_creds_password(krb5_ctx, &creds,
> krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
>problem = krb5_sname_to_principal(krb5_ctx, NULL, NULL,
> KRB5_NT_SRV_HST, &server);
>problem = krb5_verify_init_creds(krb5_ctx, &creds, server,
> NULL, NULL, NULL);
>krb5_free_principal(krb5_ctx, server);
If you are not keeping the TGT, then you should obtain a service ticket
for a key which is in your keytab in the krb5_get_init_creds_password()
stage rather than a TGT. This will save you an unnecessary round
trip with the KDC.
Something like:
asprintf(&sprinc, "host/%s", gethostname());
krb5_get_init_creds_password(ctx, &creds, user, password, NULL,
NULL, 0, sprinc, NULL);
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
More information about the krbdev
mailing list