RX Kerberos 5 security class requirements of Kerberos library

Jeffrey Altman jaltman at secure-endpoints.com
Tue Jan 2 10:56:49 EST 2007

At the last AFS & Kerberos Best Practice Workshop, Marcus Watts and Matt
Benjamin presented the rxk5 security class, a replacement for rxkad
which is dependent on single DES keys.  The development of rxk5 has
developed to the point where it is now viable for deployment in test
environments on UNIX and Windows except that there is required
functionality that is currently not available via the MIT Kerberos API.
rxk5 requires the ability to generate a krb5 service ticket when given
the service key in a key table.

  krb5_error_code KRB5_CALLCONV
      krb5_context context,
      krb5_keytab keytab,
      krb5_principal service,
      krb5_principal client,
      time_t starttime,
      time_t endtime,
      krb5_enctype *allowed_enctypes,
      krb5_address *address,
      krb5_creds** out_creds /* out */ )

As part of Marcus' rxk5 patch to OpenAFS he has implemented a function
called afs_rxk5_k5forge() that is essentially the
krb5_generate_creds_with_keytab() for Heimdal and MIT Kerberos.
Implementing the functionality for MIT Kerberos requires the use of two
private MIT Kerberos functions for which there are no public
equivalents:  krb5_encrypt_tkt_part() and encode_krb5_ticket().
I believe that adding krb5_generate_creds_with_keytab() as a public
function is a better solution than than exporting the two private
functions.  Exporting the private functions (or providing public
wrappers) would violate the abstraction layer.

Before I submit a patch, is the concept of
krb5_generate_creds_with_keytab something that MIT and Heimdal would
accept?  If so, a patch can be ready in a few hours.


Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20070102/21d25337/attachment.bin

More information about the krbdev mailing list