idea about modifying pam_krb5 use of krb5_verify_init_creds
Will Fiveash
will.fiveash at oracle.com
Mon Jan 23 15:44:31 EST 2012
On Mon, Jan 23, 2012 at 01:29:03PM -0600, Will Fiveash wrote:
> On Mon, Jan 23, 2012 at 12:34:49AM -0500, Greg Hudson wrote:
> > On 01/22/2012 08:17 PM, Will Fiveash wrote:
> > > What I'm thinking would
> > > be a better way for pam-krb5 to verify a user's initial krb cred is to
> > > use a service princ found in the existing keytab and call
> > > krb5_verify_init_creds() using that instead of using
> > > krb5_sname_to_princ().
> >
> > In MIT krb5 1.10, krb5_verify_init_creds() will use the first principal
> > in the keytab by default. See RT #6887 or r24749.
>
> That seems like it would solve the issue I brought up but I still wonder
> if that is enough effort given that the consequence of
> krb5_verify_init_creds() failing is a user not being able to login. Did
> you consider trying all the service princs found in the krb5.keytab in a
> loop until either verification succeeds or there are no more unique
> service princs to acquire a ticket for?
Also it could be useful in the case that the caller of
krb5_verify_init_creds() doesn't specify a server that
krb5_verify_init_creds() set an output parameter to the name of the
service princ it used in successfully verifying a user's TGT. Given
krb5_verify_init_creds() is part of the public krb API does it make
sense to create krb5_verify_init_creds_ext() to provide this capability?
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
More information about the krbdev
mailing list