question about krb5_verify_init_creds() and verify_ap_req_nofail
Will Fiveash
will.fiveash at oracle.com
Tue Jan 11 17:30:15 EST 2011
On Tue, Jan 11, 2011 at 04:20:45PM -0500, Sam Hartman wrote:
> Really?
> I't expect krb5_kt_default() to succeed if the keytab does not exist.
My bad, you are correct that krb5_kt_default() will succeed without a
keytab existing.
Still, why try checking the keytab if verify_ap_req_nofail is set to false?
Here is the code I'm looking at:
if ((ret = krb5_kt_get_entry(context, keytab, server, 0, 0, &kte))) {
/* this means there is no keying material. This is ok, as long as
it is not prohibited by the configuration */
int nofail;
if (options &&
(options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL)) {
if (options->ap_req_nofail)
goto cleanup;
} else if (krb5int_libdefault_boolean(context,
&creds->client->realm,
KRB5_CONF_VERIFY_AP_REQ_NOFAIL,
&nofail) == 0) {
if (nofail)
goto cleanup;
}
ret = 0;
goto cleanup;
}
If krb5_kt_get_entry() fails for whatever reason and if the
verify_ap_req_nofail is set to false in krb5.conf then the call to
krb5int_libdefault_boolean() will result in setting nofail to 0. If
that is the case then ret will be set to 0 and the code will goto
cleanup and then return 0. However, if there is a service princ key in
the keytab whether it is still current/valid or not then
verify_ap_req_nofail is essentially ignored and the ap_req will try to
be verified. If the service princ's key in the keytab is not valid then
krb5_verify_init_creds() will always fail. Is that behavior
intentional?
(Note, an older Solaris variant of krb5_verify_init_creds() differed from
this logic in that if verify_ap_req_nofail is false then the keytab was
ignored.)
--
Will Fiveash
Oracle
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
More information about the krbdev
mailing list