Authenticating using lower case domain/realm
Henry B. Hotz
hotz at jpl.nasa.gov
Thu Mar 12 12:43:24 EDT 2009
On Mar 11, 2009, at 9:12 AM, krbdev-request at mit.edu wrote:
> Date: Wed, 11 Mar 2009 16:00:55 +1100
> From: Luke Howard <lukeh at padl.com>
> Subject: Re: Authenticating using lower case domain/realm
> To: Russ Allbery <rra at stanford.edu>, Sam Hartman
> <hartmans at painless-security.com>
> Cc: "krbdev at mit.edu List" <krbdev at mit.edu>
> Message-ID: <7A98A8E4-9199-46AF-A28B-08BD8A70673C at padl.com>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
> I was looking into implementing support for name canonicalization /
> UPNs in pam_krb5. In the PAM case, the canonicalized name may be used
> for authorization to the host system. We can't rely on the name
> returned in the AS-REP because it is unprotected.
>
> So, I think we need to introduce a krb5_verify_init_creds() variant
> that returns the canonicalized name from the host service ticket. I
> propose either krb5_verify_init_creds_canonical() with an extra
> krb5_principal * argument, or a more general
> krb5_verify_init_creds_ext() API.
>
> Thoughts?
>
> -- Luke
Which pam_krb5? There are so many!
I would vote for the Debian/Stanford one. (Hint to RedHat.) (Nothing
against the Solaris one, but they have the luxury of making the pam
framework and ssh behave in a sane manner.)
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list