idea about modifying pam_krb5 use of krb5_verify_init_creds

Will Fiveash will.fiveash at
Mon Jan 23 15:44:31 EST 2012

On Mon, Jan 23, 2012 at 01:29:03PM -0600, Will Fiveash wrote:
> On Mon, Jan 23, 2012 at 12:34:49AM -0500, Greg Hudson wrote:
> > On 01/22/2012 08:17 PM, Will Fiveash wrote:
> > > What I'm thinking would
> > > be a better way for pam-krb5 to verify a user's initial krb cred is to
> > > use a service princ found in the existing keytab and call
> > > krb5_verify_init_creds() using that instead of using
> > > krb5_sname_to_princ().
> > 
> > In MIT krb5 1.10, krb5_verify_init_creds() will use the first principal
> > in the keytab by default.  See RT #6887 or r24749.
> That seems like it would solve the issue I brought up but I still wonder
> if that is enough effort given that the consequence of
> krb5_verify_init_creds() failing is a user not being able to login.  Did
> you consider trying all the service princs found in the krb5.keytab in a
> loop until either verification succeeds or there are no more unique
> service princs to acquire a ticket for?

Also it could be useful in the case that the caller of
krb5_verify_init_creds() doesn't specify a server that
krb5_verify_init_creds() set an output parameter to the name of the
service princ it used in successfully verifying a user's TGT.  Given
krb5_verify_init_creds() is part of the public krb API does it make
sense to create krb5_verify_init_creds_ext() to provide this capability?

Will Fiveash
Oracle Solaris Software Engineer
Sent using mutt, a sweet, text based e-mail app <>

More information about the krbdev mailing list