[Freeipa-devel] Notes on server to server sasl
Rich Megginson
rmeggins at redhat.com
Fri Oct 31 18:36:19 UTC 2008
Simo Sorce wrote:
> On Fri, 2008-10-31 at 10:26 -0600, Rich Megginson wrote:
>
>> Simo Sorce wrote:
>>
>>> On Fri, 2008-10-31 at 09:18 -0600, Rich Megginson wrote:
>>>
>>>
>>>
>>>>> The credential cache contains the expiration date of the credentials,
>>>>> you should be able to check without contacting the KDC (and we do not
>>>>> want to contact the KDC at all, unless we need to acquire a ticket).
>>>>>
>>>>>
>>>>>
>>>> So if current datetime < cred expiration datetime, then the creds are
>>>> ok? No other validation needs to be done?
>>>>
>>>>
>>> Usually it is safe to assume so.
>>> The only exception is someone generating a new key for the service, and
>>> replacing the service keytab instead of appending to it (so that the
>>> older key material with the previous kvno is not longer available to the
>>> server which cannot verify older credentials still valid).
>>>
>>> In this case you should get back an auth error. You may decide at this
>>> point to discard the current ticket and try to acquire a new one.
>>>
>>>
>> Ok. Hmm - seems that my code will need to add some further complexity.
>> Right now it just takes the first entry from the server's keytab file
>> and uses that for authentication. Is it possible the keytab may contain
>> entries that cannot/should not be used?
>>
>
> You manually parse the keytab ?
>
I need a principal to pass to krb5_get_init_creds_keytab. I do not have
a way for the user to specify the principal. I need a principal that
actually exists in the keytab, so I use
krb5_kt_start_seq_get/krb5_kt_next_entry/krb5_kt_end_seq_get to iterate
the keytab entries, grabbing the first principal.
> In a keytab you can have entries for many different services,
For the directory server service keytab? It will have principals other
than ldap/fqdn at REALM?
> as well
> multiple entries for the same service but with different kvno.
> The highest kvno is the newest one and should be the one to be used.
> Older keys can be used only to accept valid tickets in the time-frame
> that the old keys are still valid.
>
eek - then how is the code supposed to know which principal to use?
> Simo.
>
>
More information about the Freeipa-devel
mailing list