AP_OPTS_MUTUAL_REQUIRED only when using sendauth/recvauth? also, subkey prng priming?
Greg Hudson
ghudson at MIT.EDU
Sat Jul 23 23:23:30 EDT 2011
On Sat, 2011-07-23 at 22:38 -0400, Chris Hecker wrote:
> It looks like I should pass it since this if-statement exists, yes? I'm
> still a security noob, but I'd assume it wouldn't be there if it wasn't
> important?
For protocol conformance, you should probably set the flag. But I don't
think anything will go wrong if you don't. The conditional you found
will erroneously decide to initialize the local sequence number based on
the remote one, but krb5_mk_rep() will overwrite that anyway.
> Also, a related question, if you're using AP_OPTS_USE_SUBKEY,
> sendauth primes the prng a bit more manually...should I do this in my
> app?
Ideally this should be unnecessary, as we can seed our PRNG from
OS-level entropy. The caveat is that our Windows code for obtaining OS
entropy doesn't appear to work on XP (it works on 7; I'm not sure about
Vista), but I hope we can fix that.
More information about the Kerberos
mailing list