Skip Menu |

Subject: krb5 apps in source tree should not use deprecated API
Applications that are distributed in the source tree should not use the
deprecated API. People should be able to look at the code as examples
of what and not to do.

There are four apps:

kprop: Uses krb5_get_in_tkt_with_keytab, krb5_auth_con_initivector
ksu: Uses âkrb5_get_in_tkt_with_password
kdc5_hammer: krb5_get_in_tkt_with_password
lib/kadm5/unit-test/setkey-test: krb5_get_in_tkt_with_keytab

In addition, internal library code uses the deprecated code:

krb5_build_principal_alloc_va depends on deprecated
krb5_build_principal_va (trivial fix - use the krb5int version)

krb_get_in_tkt_with_skey uses krb5_get_in_tkt and
From: kaduk@MIT.EDU
Subject: git commit
Download (untitled) / with headers
text/plain 1.3KiB

Avoid deprecated krb5_get_in_tkt_with_keytab

The kprop code has been pretty unloved, and uses some routines that
are marked as deprecated (which show up as warnings in the build log).
Use the documented replacement for krb5_get_in_tkt_with_keytab,
krb5_get_init_creds_keytab, instead. As a bonus, there is no longer
a side effect of a credentials cache that needs to be destroyed.

The also-deprecated function krb5_get_in_tkt_with_skey was backending
to it when no keyblock was passed in; we can unroll the call to
krb5_get_init_creds_keytab ourselves as the documented workaround.
While here, improve style compliance with regards to cleanup.

The setkey test just wants to know whether it can use the key it
just put into a keytab to get credentials; as such the recommended
krb5_get_init_creds_keytab is quite sufficient.
While here, use that interface to request the particular enctype
as well, reducing the scope of an XXX comment.
Author: Ben Kaduk <>
Commit: 29dee7d2cece615bec4616fa9b727e77210051db
Branch: master
src/lib/kadm5/unit-test/setkey-test.c | 22 +++++++++++--------
src/lib/krb5/krb/in_tkt_sky.c | 36 ++++++++++++++++++--------------
src/slave/kprop.c | 34 +++++++++++-------------------
3 files changed, 46 insertions(+), 46 deletions(-)