Kerberos PAC decoding support
Ken Hornstein
kenh at cmf.nrl.navy.mil
Thu Aug 24 13:01:54 EDT 2023
>I am wondering if it is reasonable to request the MIT library to
>support PAC decoding (possibly in form of Named Attributes) so that the
>information there could be used in calling application, I.e.:
>
>https://github.com/gssapi/mod_auth_gssapi/issues/288#issuecomment-1690541858
>
>Is something like this reasonable? If yes, is this support planned in
>forthcoming releases of MIT Kerberos library?
I _think_ that's already there? If you're using the GSSAPI you already
have support for named attribute retrieval, as detailed here:
https://web.mit.edu/kerberos/krb5-devel/doc/appdev/gssapi.html
I know there is already extensive PAC decoding and validation in later
MIT Kerberos versions. But I would caution you that like Simo mentioned
I think all you get is SIDs in the PAC and you have to do some more work
to turn that into something useful.
--Ken
More information about the Kerberos
mailing list