Authenticating using lower case domain/realm
Luke Howard
lukeh at padl.com
Wed Mar 11 01:00:55 EDT 2009
I was looking into implementing support for name canonicalization /
UPNs in pam_krb5. In the PAM case, the canonicalized name may be used
for authorization to the host system. We can't rely on the name
returned in the AS-REP because it is unprotected.
So, I think we need to introduce a krb5_verify_init_creds() variant
that returns the canonicalized name from the host service ticket. I
propose either krb5_verify_init_creds_canonical() with an extra
krb5_principal * argument, or a more general
krb5_verify_init_creds_ext() API.
Thoughts?
-- Luke
On 11/03/2009, at 10:53 AM, Russ Allbery wrote:
> Luke Howard <lukeh at padl.com> writes:
>
>> No, it doesn't (nor should it).
>>
>> However, try the following (untested) patch to pam_krb5. Using
>> 1.7, it
>> should only be necessary to set the "use_upn" option, either in
>> PAM
>> libdefaults or pam.conf.
>
> This is great, thank you! Let me know if he confirms that this
> works, and
> I'll incorporate it into the next release.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/
> >
>
--
www.padl.com | www.fghr.net
More information about the krbdev
mailing list