Markus Moeller <[EMAIL PROTECTED]> writes: > "Russ Allbery" <[EMAIL PROTECTED]> wrote:
>> Oh, bleh. Yeah, I misread that code; I thought it was doing something >> smarter. Okay, added to the to-do list. It shouldn't be too >> difficult. > The ideal would be to use something similar to GSS_C_NO_NAME (as you I > think intended). so that any keytab entry could be used. Yes. Unless I'm missing something, it seems like krb5_verify_init_creds could use any key in the keytab (well, provided that there isn't another key for the same principal with a later kvno) if no particular principal is specified. This would fail in cases where people have old keys in the keytab that no longer work, and it might fail in some interesting cross-realm cases with keys for other realms in the keytab, but I'd think those cases would be the ones where people could specify what principal to use for verification. And one could do something like iterating through the keytab and trying each key, I suppose. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
