KRB_AP_REP question

[Sam Hartman]

>>>>> "matt" == matt  <rottyguy70 at yahoo.com> writes:

    matt> greetings, my understanding is that the KRB_AP_REP is
    matt> returned by the host when mutual authentication is requested
    matt> by the client.  as part of the client authenticator, it can
    matt> choose to provide (among others) checksum, seq_no, subkey.
    matt> however, in the KRB_AP_REP message, only seq_no and subkey
    matt> are returned (negotiated).  how come the host side checksum
    matt> is omitted?  what if the client wants to validate the
    matt> server's response payload?


The server should consider using krb_safe.  Really the checksum in the
ap_req is kind of a hack.  The absence of a checksum in the ap_rep is
also broken as you point out, but not easy to fix.

There's on going revisions to the Kerberos protocol within the IETF.