idea about modifying pam_krb5 use of krb5_verify_init_creds
Will Fiveash
will.fiveash at oracle.com
Mon Jan 23 14:29:03 EST 2012
On Mon, Jan 23, 2012 at 12:34:49AM -0500, Greg Hudson wrote:
> On 01/22/2012 08:17 PM, Will Fiveash wrote:
> > What I'm thinking would
> > be a better way for pam-krb5 to verify a user's initial krb cred is to
> > use a service princ found in the existing keytab and call
> > krb5_verify_init_creds() using that instead of using
> > krb5_sname_to_princ().
>
> In MIT krb5 1.10, krb5_verify_init_creds() will use the first principal
> in the keytab by default. See RT #6887 or r24749.
That seems like it would solve the issue I brought up but I still wonder
if that is enough effort given that the consequence of
krb5_verify_init_creds() failing is a user not being able to login. Did
you consider trying all the service princs found in the krb5.keytab in a
loop until either verification succeeds or there are no more unique
service princs to acquire a ticket for?
> Also, Russ's pam-krb5 appears to have code to do what you suggest if a
> keytab configuration parameter is specified (but not if the default
> keytab is used, I think).
Good to know, thanks.
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
More information about the krbdev
mailing list