I'd like to integrate Kerberos into an existing application. In particular, when this application performs certain operations, I want to explicitly force the user to re-authenticate. To be clear, the user will generally already have a valid Kerberos ticket. Despite that, I want to force him to re-enter his password at certain points in this application. In other words, I don't care if he already has a ticket or cached credentials, I (loosely speaking) want to the do the equivalent of kinit followed by a kdestroy.
I assume this is fairly straightforward. I'm starting to look at API examples now (including the source for kinit/kdestroy). At this point I'm just looking for any thoughts on why I might be going down a bad path or any pitfalls I should keep in mind. I do have a couple slightly specific questions at this point: - Will forcing the retrieval of a new ticket interfere in any way with the user's current credentials (or his credentials cache)? The main reason we currently have Kerberos implemented is for Kerberized NFSv4 home directories (i.e. sec=krb5p NFS mount option). So as I suggested above, the user will already have valid Kerberos ticket and credentials cache (otherwise they'll be "permission denied" out of their own home dir). I don't want to interfere with those, just authenticate that the person using this program is really who he says he is. - I'm just getting started with familiarizing myself with the Kerberos API, but already I see that's a fairly low-level way to achieve my goal. I.e., some of my reading suggests using GSS-API, SASL+TSL, etc might be a more "generic" approach... any thoughts on this, given my use case? Just to give a little more insight to our environment: this is a pure Linux environment, in particular CentOS (i.e. RedHat Enterprise Linux) 5/6/7. RHEL ships with MIT Kerberos. Lastly, FWIW, the program we want to integrate with Kerberos is tmux (same concept as GNU Screen). tmux allows terminals to be "detached" and "reattached" (e.g. detach, go home, login remotely, attach to get your exact same terminal(s) back). What we want is to force a Kerberos authentication whenever an "attach" is attempted. This is to prevent admins (i.e. root user) from su'ing to that user, then attaching to his console (and why we don't want to use existing credentials, but force password entry). Thanks! ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos