de facto inline mutual auth via krb5_mk_req / krb5_rd_req?
Todd Zino
tcz3 at cornell.edu
Thu Feb 14 13:30:01 EST 2002
>There's a perfectly fine mutual authentication mechanism provided by
>the krb_ap_rep message in the Kerberos protocol. Use that; it has the
>same number of messages as your current scheme.
Would this mean doing mk_rep / rd_rep in place of mk_req / rd_req for those
two messages? The main thing the server is doing with the rd_req is simply
getting the client's principal fullname and discarding the rest of the
kTicket; can/should this be done with a different set of messages than
AP_REQ if I want to have the mutual part included? I don't see a ticket or
principal included in the ap_rep struct.
>If you pass in the mutual flag to krb5_mk_req you should get an ap_rep out
>of krb5_rd_req.
What would the client pull from this after the mk_req is done locally, in
order to compare with what the server eventually sends back? The only place
I see the AP_OPTS_MUTUAL_REQUIRED flag explicitly used in the AP_REQ src's
is on the rd_req_decode() where it determines whether or not to ^ the
sequence number (can/should I set these manually to that random number on
the client beforehand as a 'checksum' of sorts?). I don't see the
krb5_ap_rep struct linked to the returned krb5_ticket struct in krb5.h
Let me know if I'm barking up the wrong tree in envisioning the optimal
solution,
--Todd
More information about the krbdev
mailing list