idea about modifying pam_krb5 use of krb5_verify_init_creds

Will Fiveash will.fiveash at
Mon Jan 23 14:29:03 EST 2012

On Mon, Jan 23, 2012 at 12:34:49AM -0500, Greg Hudson wrote:
> On 01/22/2012 08:17 PM, Will Fiveash wrote:
> > What I'm thinking would
> > be a better way for pam-krb5 to verify a user's initial krb cred is to
> > use a service princ found in the existing keytab and call
> > krb5_verify_init_creds() using that instead of using
> > krb5_sname_to_princ().
> In MIT krb5 1.10, krb5_verify_init_creds() will use the first principal
> in the keytab by default.  See RT #6887 or r24749.

That seems like it would solve the issue I brought up but I still wonder
if that is enough effort given that the consequence of
krb5_verify_init_creds() failing is a user not being able to login.  Did
you consider trying all the service princs found in the krb5.keytab in a
loop until either verification succeeds or there are no more unique
service princs to acquire a ticket for?

> Also, Russ's pam-krb5 appears to have code to do what you suggest if a
> keytab configuration parameter is specified (but not if the default
> keytab is used, I think).

Good to know, thanks.

Will Fiveash
Oracle Solaris Software Engineer
Sent using mutt, a sweet, text based e-mail app <>

More information about the krbdev mailing list