idea about modifying pam_krb5 use of krb5_verify_init_creds

Greg Hudson ghudson at MIT.EDU
Mon Jan 23 00:34:49 EST 2012

On 01/22/2012 08:17 PM, Will Fiveash wrote:
> What I'm thinking would
> be a better way for pam-krb5 to verify a user's initial krb cred is to
> use a service princ found in the existing keytab and call
> krb5_verify_init_creds() using that instead of using
> krb5_sname_to_princ().

In MIT krb5 1.10, krb5_verify_init_creds() will use the first principal
in the keytab by default.  See RT #6887 or r24749.

Also, Russ's pam-krb5 appears to have code to do what you suggest if a
keytab configuration parameter is specified (but not if the default
keytab is used, I think).

More information about the krbdev mailing list