Authenticating using lower case domain/realm

Henry B. Hotz hotz at
Thu Mar 12 12:43:24 EDT 2009

On Mar 11, 2009, at 9:12 AM, krbdev-request at wrote:

> Date: Wed, 11 Mar 2009 16:00:55 +1100
> From: Luke Howard <lukeh at>
> Subject: Re: Authenticating using lower case domain/realm
> To: Russ Allbery <rra at>,	Sam Hartman
> 	<hartmans at>
> Cc: "krbdev at List" <krbdev at>
> Message-ID: <7A98A8E4-9199-46AF-A28B-08BD8A70673C at>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
> I was looking into implementing support for name canonicalization /
> UPNs in pam_krb5. In the PAM case, the canonicalized name may be used
> for authorization to the host system. We can't rely on the name
> returned in the AS-REP because it is unprotected.
> So, I think we need to introduce a krb5_verify_init_creds() variant
> that returns the canonicalized name from the host service ticket. I
> propose either krb5_verify_init_creds_canonical() with an extra
> krb5_principal * argument, or a more general
> krb5_verify_init_creds_ext() API.
> Thoughts?
> -- Luke

Which pam_krb5?  There are so many!

I would vote for the Debian/Stanford one.  (Hint to RedHat.)  (Nothing  
against the Solaris one, but they have the luxury of making the pam  
framework and ssh behave in a sane manner.)

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list