de facto inline mutual auth via krb5_mk_req / krb5_rd_req?

Todd Zino tcz3 at
Thu Feb 14 13:30:01 EST 2002

 >There's a perfectly fine mutual authentication mechanism provided by
>the krb_ap_rep message in the Kerberos protocol.  Use that; it has the
>same number of messages as your current scheme.

Would this mean doing mk_rep / rd_rep in place of mk_req / rd_req for those 
two messages? The main thing the server is doing with the rd_req is simply 
getting the client's principal fullname and discarding the rest of the 
kTicket; can/should this be done with a different set of messages than 
AP_REQ if I want to have the mutual part included? I don't see a ticket or 
principal included in the ap_rep struct.

>If you pass in the mutual flag to krb5_mk_req you should get an ap_rep out 
>of krb5_rd_req.

What would the client pull from this after the mk_req is done locally, in 
order to compare with what the server eventually sends back? The only place 
I see the AP_OPTS_MUTUAL_REQUIRED flag explicitly used in the AP_REQ src's 
is on the rd_req_decode() where it determines whether or not to ^ the 
sequence number (can/should I set these manually to that random number on 
the client beforehand as a 'checksum' of sorts?). I don't see the 
krb5_ap_rep struct linked to the returned krb5_ticket struct in krb5.h

Let me know if I'm barking up the wrong tree in envisioning the optimal 


More information about the krbdev mailing list