Reputation: 13386
Kerberos get initial credential
I try to program a Kerberized login module for my application, but I have some concepts unclear.
I'm learning the MIT Kerberos API by reading source code mod_auth_kerb from Apache HTTP server (could not find a better start point, no API tutorial or demo codes found online). From it, I find that I need to get initial confidential either by a keytab file or by user enter-ed password. What confuses me a lot is that I have already kinit when logging-in the OS, and I'm sure I have the ticket for principal krbtgt/LOCALHOST@LOCALHOST by klist, then whether need I get the initial confidential again by krb5_get_init_cred_password/keytab?
- If yes, since my OS account is a valid principal in Kerberos, and I have get the ticket to TGS, why should I get the initial confidential again? Doesn't that violate the single-sign-on feature of Kerberos?
- If not, how could I get the ticket for principal
krbtgt/LOCALHOST@LOCALHOSTby code, or say, how could I relate my login account with the corresponding Kerberos principal?
BTW, is there good MIT Kerberos API tutorial available online? Although the official developer's manual is complete, starting from it feels like learning a second language from a dictionary :).
Thank you very much and best regards!
Upvotes: 1
Views: 1566
Answers (1)
Reputation: 164
There are two things: 1. kinit is a utility tool which uses krb5_get_init_cred_password internally in the code to get you the credentials. 2. You can then use kvno utility to use the ticket fetched using kinit to get the service ticket. Ex:
kinit -f [email protected]
By this you will get the ticket for administrator. Now if you want to use this ticket for some service lets say CIFS.
kvno [-k <keytab file> | -c <credential cache>] -u <client> -P service
You can use either the credential cache or the keytab file which you can create using the ktutil utility.
Secondly, if you want to control everything from the code, you will need to understand the krb api and functions like:
krb5_get_init_creds_password
kerb_get_credentials
krb5_get_crendentials_for_user
krb5_get_crendentials_for_proxy etc.
You can simply see the source code of kinit and kvno from the MIT kerberos library to get more understanding how these functions are used etc.
Ankur
Upvotes: 4
Related Questions
- How to get Kerberos default principal
- Get cifs service ticket for the user credential using krb5
- Kerberos kinit: Unknown credential cache type while getting default ccache
- Kerberos new user credential flow
- Kerberos authentication in windows service
- Kerberos administrator authorization
- Verifying if the delegated kerberos credential is proper
- Kerberos Credential Delegation
- kerberos ENC-TC
- Generate kerberos ticket using .NET