Authenticating using lower case domain/realm

Luke Howard lukeh at
Wed Mar 11 01:00:55 EDT 2009

I was looking into implementing support for name canonicalization /  
UPNs in pam_krb5. In the PAM case, the canonicalized name may be used  
for authorization to the host system. We can't rely on the name  
returned in the AS-REP because it is unprotected.

So, I think we need to introduce a krb5_verify_init_creds() variant  
that returns the canonicalized name from the host service ticket. I  
propose either krb5_verify_init_creds_canonical() with an extra  
krb5_principal * argument, or a more general  
krb5_verify_init_creds_ext() API.


-- Luke

On 11/03/2009, at 10:53 AM, Russ Allbery wrote:

> Luke Howard <lukeh at> writes:
>>    No, it doesn't (nor should it).
>>    However, try the following (untested) patch to pam_krb5. Using  
>> 1.7, it
>>    should only be necessary to set the "use_upn" option, either in  
>> PAM
>>    libdefaults or pam.conf.
> This is great, thank you!  Let me know if he confirms that this  
> works, and
> I'll incorporate it into the next release.
> -- 
> Russ Allbery (rra at             < 
> >

-- |

More information about the krbdev mailing list