AP_OPTS_MUTUAL_REQUIRED only when using sendauth/recvauth? also, subkey prng priming?

Greg Hudson ghudson at MIT.EDU
Sat Jul 23 23:23:30 EDT 2011


On Sat, 2011-07-23 at 22:38 -0400, Chris Hecker wrote:
> It looks like I should pass it since this if-statement exists, yes?  I'm 
> still a security noob, but I'd assume it wouldn't be there if it wasn't 
> important?

For protocol conformance, you should probably set the flag.  But I don't
think anything will go wrong if you don't.  The conditional you found
will erroneously decide to initialize the local sequence number based on
the remote one, but krb5_mk_rep() will overwrite that anyway.

> Also, a related question, if you're using AP_OPTS_USE_SUBKEY,
> sendauth primes the prng a bit more manually...should I do this in my
> app?

Ideally this should be unnecessary, as we can seed our PRNG from
OS-level entropy.  The caveat is that our Windows code for obtaining OS
entropy doesn't appear to work on XP (it works on 7; I'm not sure about
Vista), but I hope we can fix that.






More information about the Kerberos mailing list