idea about modifying pam_krb5 use of krb5_verify_init_creds
Will Fiveash
will.fiveash at oracle.com
Sun Jan 22 20:17:36 EST 2012
People may have addressed this already but for Solaris when one has
provisioned a krb5.keytab with a host princ and is using pam-krb5 in the
pam.conf auth stack, if the hostname changes the pam-krb5 will fail to
verify a user's initial krb cred unless there is a host service princ in
the krb5.keytab that matches the new hostname. What I'm thinking would
be a better way for pam-krb5 to verify a user's initial krb cred is to
use a service princ found in the existing keytab and call
krb5_verify_init_creds() using that instead of using
krb5_sname_to_princ(). In fact, pam-krb5 could get a list of all unique
service princ names for the default realm in the keytab and call
krb5_verify_init_creds() in a loop until either one succeeds or they all
fail. Thoughts?
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
More information about the krbdev
mailing list