Unixtime preauthentication

Sam Hartman hartmans at MIT.EDU
Mon Nov 25 14:58:01 EST 2002

>>>>> "Darren" == Darren Reed (Optimation) <darrenr at optimation.com.au> writes:

    Darren> Is there a specification anywhere detailing what each of
    Darren> the preauthentication data formats should be?

    Darren> I've discovered that Cybersafe's Kerberos used "unixtime"
    Darren> (KRB5_PADATA_ENC_UNIX_TIME) preauthentication data and
    Darren> have been able to guess at the format but when I looked at
    Darren> what's provided for KRB5_PADATA_ENC_TIMESTAMP, expecting
    Darren> it to be similar, I find it to be vastly different.

    Darren> The most significant difference is that the timestamp data
    Darren> in krb5 packets is ASN.1 formatted, whereas the unixtime
    Darren> data being sent for Cybersafe is not - just a nonce, the
    Darren> time repeated a few times and a trailer.

    Darren> At least one mention of unixtime on the web suggests that
    Darren> unixtime has been depricated (I have no problem with this)
    Darren> but if I can at least get the verify function correct (and
    Darren> tested), is the krbdev team interested in patches ?

We'd certainly evaluate patches and it looks from internal discussion
would be reasonably likely to accept well-written patches.

I wouldn't bother with a --enable-unix-time option.

You are correct that unix time has been depricated.  I don't know if
it has security properties different than the encrypted timestamp; if
it does, we may be less interested in it.

More information about the krbdev mailing list