[krbdev.mit.edu #8503] Acces to AS REP keys to decrypt MS-PAC's PAC_CREDENTIAL_DATA
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Oct 10 10:49:52 EDT 2016
Can Windows do PKINIT and FAST in the same AS-REQ? If so, is the
PAC_CREDENTIAL_DATA encrypted in the actual reply key, or the reply key
before the KrbFastResponse strengthen-key is applied?
To address Sam's response: we could provide an API combining get_init_creds
and verification, or a GIC option which causes get_init_creds to perform
verification using a supplied keytab, to avoid exposing the reply key to
the application. That's more work for us, but would make it easier to
write proper login application. Of course, we would then have to surface
the decrypted PAC_CREDENTIAL_DATA to the application, probably via another
GIC option.
More information about the krb5-bugs
mailing list