[27864] in Kerberos
Re: pam-krb5 3.5 released
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Jun 1 18:41:38 2007
From: Russ Allbery <rra@stanford.edu>
To: "Markus Moeller" <huaraz@moeller.plus.com>
In-Reply-To: <042b01c7a49c$7bddb7d0$0801a8c0@home> (Markus Moeller's message
of "Fri, 1 Jun 2007 23:30:39 +0100")
Date: Fri, 01 Jun 2007 15:41:23 -0700
Message-ID: <87hcprz4a4.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Markus Moeller <huaraz@moeller.plus.com> writes:
> From: "Russ Allbery" <rra@stanford.edu>
>> I'm pretty sure this is not the case. The PAM module just calls
>> krb5_verify_init_creds, and at least in the MIT implementation, it uses
>> whatever key it can find in the keytab to do the verification. It
>> doesn't have to use a host key.
> Not really. If you look at the MIT source you will see.
> krb5_verify_init_creds(krb5_context context,
> krb5_creds *creds,
> krb5_principal server_arg,
> krb5_keytab keytab_arg,
> krb5_ccache *ccache_arg,
> krb5_verify_init_creds_opt *options)
> .
> .
> .
> .
> if (server_arg) {
> server = server_arg;
> } else {
> if ((ret = krb5_sname_to_principal(context, NULL, NULL,
> KRB5_NT_SRV_HST, &server)))
> goto cleanup;
> }
> server_tag is the 3 argument which you set to NULL and
> krb5_sname_to_principal with NULL uses the host principal. So I need the
> option to set the server_tag.
Oh, bleh. Yeah, I misread that code; I thought it was doing something
smarter. Okay, added to the to-do list. It shouldn't be too difficult.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
