kerberos password test function source code

Henry B. Hotz hotz at
Wed Aug 6 13:00:30 EDT 2008

I think you're going too low level.  You should be supplying the  
"trial" password and the Kerberos principal as arguments.  (The  
principal could be a simple username if you know it's always just a  
simple user in the default realm.)

The relevant function to use is krb5_get_init_creds_password().  It's  
sufficient to tell you that somebody on the 'net says the password is  

Presumably you also want to know that "somebody" is actually your  
Kerberos server.  In that case you also need to request a service  
ticket for a service you already have a keytab for, and verify the  
ticket against that keytab.  Looks like krb5_verify_init_creds() is a  
routine common to MIT and Heimdal for that purpose.

On Aug 6, 2008, at 9:15 AM, krbdev-request at wrote:

> Date: Tue, 29 Jul 2008 21:02:41 -0400
> From: Nathanael Warren <dzhugashvili9 at>
> Subject: kerberos password test function source code
> To: <krbdev at>
> Message-ID: <BAY116-W470495822D4665F60F4339F27D0 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
> Hey,
> I was wondering if anybody out there had a simple, straightforward  
> kerberos test function available. I already checked out the Brezak  
> Internet draft (draft-brezak-win2k-krb-rc4-hmac-03.txt), but it's a  
> little over my head as far as implementing it in code. I am pretty  
> new to programming, and I am attempting to build an application in C+ 
> + that will test passwords for strength. I was looking for something  
> along the lines of a bool function that is supplied a plaintext  
> password candidate in a word[] array and the Kerberos 5 pre  
> Authentication hash (like in Cain, the authenticator?), and return a  
> bool TRUE or FALSE, depending on whether or not the password checks.  
> Here is an example:
> bool IsPasswordTrue(char password[], authenticator)
> {
> if ((encrypt(password))==authenticator)
>      {
>           return TRUE;
>      }
> else
>      {
>          return FALSE;
>      }
> }
> if anybody could help, that would be great! This is the optimal  
> code, but if you have anything at all that might be helpful, I would  
> appreciate it. Thanks!

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list