[19875] in Kerberos_V5_Development
Re: Question about excluding the PAC
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Jan 25 17:56:50 2019
To: "Schwartz, John" <John.Schwartz@anthem.com>,
"krbdev@mit.edu"
<krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <7e600a0c-b1c9-69e5-1a2b-072da89c621c@mit.edu>
Date: Fri, 25 Jan 2019 17:56:39 -0500
MIME-Version: 1.0
In-Reply-To: <BN6P169MB0034FC9EE08146E2C0D1FE70919B0@BN6P169MB0034.NAMP169.PROD.OUTLOOK.COM>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 1/25/19 4:56 PM, Schwartz, John wrote:
> I see that kinit has the option "--no-request-pac"
>
> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?
There is no krb5.conf variable, but if you have control of the web
server C code which invokes krb5_get_init_creds_password(), you can do
it via a get_init_creds option. The relevant functions are:
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_get_init_creds_opt_alloc.html
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.html
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_get_init_creds_opt_free.html
Note that this option is new in release 1.15.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
