Russ Allbery wrote:
Wyllys Ingersoll <[EMAIL PROTECTED]> writes:
> Ideally, you wouldn't use the KRB5 APIs at all, you would use
> GSSAPI instead - it is standard and portable across implementations
> and platforms.
Hm, is there a way to use GSSAPI to do password verification? It's
annoying that one has to do this, but alas it's still fairly common
to have to send a Kerberos username/password pair over a TLS
connection to be verified on the server. GSSAPI client support is
slow to materialize.
Unfortunately, not in a standard way. In Solaris, we have implemented
a "gss_acquire_cred_with_password" function that does what you are asking
for, but it is not part of other GSSAPI implementations as far as I know.
There are proposals in the KITTEN WG for extending GSSAPI to do
things like this in the next spec, though.
-Wyllys
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
