in_data/checksum in AP-REQ?
Greg Hudson
ghudson at MIT.EDU
Tue Aug 9 09:55:16 EDT 2011
On Tue, 2011-08-09 at 03:44 -0400, Chris Hecker wrote:
> What's the in_data for on an AP-REQ/mk_req? It gets checksummed and
> stuffed in the authenticator, but it doesn't seem to be used anywhere
An application can use this to checksum some data which is sent along
with the authenticator request. The receiving application would have to
use krb5_auth_con_getauthenticator() to get at the checksum and verify
it. It's not a widely-used feature of the protocol (well, the GSSAPI
mech uses the field, but not as an RFC 3961 checksum) and it's subject
to replay attacks because no subkey has been established, so you're
probably best off ignoring it.
More information about the Kerberos
mailing list