[OpenAFS-devel] verifykt

[Jeffrey Altman]

Marcus Watts wrote:
> That's fine and a good idea -- except that's only MIT.  There ought to
> be something similiar that works with Heimdal (which hasn't got kvno),
> and I'd really like to see something that comes with openafs that will
> be linked against the same kerberos libraries as the actual run-time
> servers will be using.  Whatever we do, there are already many
> systems with more than one version of kerberos installed,
> and this probably won't improve in the near term.

I'm sure that Love has something equivalent in Heimdal.  In any case,
you can post the suggestion to both the krbdev@mit.edu and the Heimdal
list.  MIT and Heimdal do talk to each other when it comes to exporting
functions and adding commands.

> Also I don't think kvno quite fits (at least not as is); kvno doesn't
> do initial authentication and works with a regular user tgt & any
> service - very useful but not the same thing really.

I don't understand why this requires initial authentication.  The
question is whether or not the contents of a keytab containing an
entry for a specific service can be used to decrypt the service
ticket that is obtained from the KDC.  This can be done without
initial authentication.  kvno was added to MIT Kerbeors to assist in
the debugging of services whose authentication did not work.  It is
a natural extension to add the keytab verification piece to it.
In fact, I'm sure that Sam Hartman is going to wish he thought of it.

Jeffrey Altman