Markus Moeller <[EMAIL PROTECTED]> writes:
> From: "Russ Allbery" <[EMAIL PROTECTED]>
>> I'm pretty sure this is not the case. The PAM module just calls
>> krb5_verify_init_creds, and at least in the MIT implementation, it uses
>> whatever key it can find in the keytab to do the verification. It
>> doesn't have to use a host key.
> Not really. If you look at the MIT source you will see.
> krb5_verify_init_creds(krb5_context context,
> krb5_creds *creds,
> krb5_principal server_arg,
> krb5_keytab keytab_arg,
> krb5_ccache *ccache_arg,
> krb5_verify_init_creds_opt *options)
> .
> .
> .
> .
> if (server_arg) {
> server = server_arg;
> } else {
> if ((ret = krb5_sname_to_principal(context, NULL, NULL,
> KRB5_NT_SRV_HST, &server)))
> goto cleanup;
> }
> server_tag is the 3 argument which you set to NULL and
> krb5_sname_to_principal with NULL uses the host principal. So I need the
> option to set the server_tag.
Oh, bleh. Yeah, I misread that code; I thought it was doing something
smarter. Okay, added to the to-do list. It shouldn't be too difficult.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
