KRB_AP_REP question

Sam Hartman hartmans at MIT.EDU
Fri Feb 20 06:26:10 EST 2004


>>>>> "matt" == matt  <rottyguy70 at yahoo.com> writes:

    matt> greetings, my understanding is that the KRB_AP_REP is
    matt> returned by the host when mutual authentication is requested
    matt> by the client.  as part of the client authenticator, it can
    matt> choose to provide (among others) checksum, seq_no, subkey.
    matt> however, in the KRB_AP_REP message, only seq_no and subkey
    matt> are returned (negotiated).  how come the host side checksum
    matt> is omitted?  what if the client wants to validate the
    matt> server's response payload?


The server should consider using krb_safe.  Really the checksum in the
ap_req is kind of a hack.  The absence of a checksum in the ap_rep is
also broken as you point out, but not easy to fix.

There's on going revisions to the Kerberos protocol within the IETF.


More information about the Kerberos mailing list