RX Kerberos 5 security class requirements of Kerberos library
jaltman at secure-endpoints.com
Tue Jan 2 10:56:49 EST 2007
At the last AFS & Kerberos Best Practice Workshop, Marcus Watts and Matt
Benjamin presented the rxk5 security class, a replacement for rxkad
which is dependent on single DES keys. The development of rxk5 has
developed to the point where it is now viable for deployment in test
environments on UNIX and Windows except that there is required
functionality that is currently not available via the MIT Kerberos API.
rxk5 requires the ability to generate a krb5 service ticket when given
the service key in a key table.
krb5_creds** out_creds /* out */ )
As part of Marcus' rxk5 patch to OpenAFS he has implemented a function
called afs_rxk5_k5forge() that is essentially the
krb5_generate_creds_with_keytab() for Heimdal and MIT Kerberos.
Implementing the functionality for MIT Kerberos requires the use of two
private MIT Kerberos functions for which there are no public
equivalents: krb5_encrypt_tkt_part() and encode_krb5_ticket().
I believe that adding krb5_generate_creds_with_keytab() as a public
function is a better solution than than exporting the two private
functions. Exporting the private functions (or providing public
wrappers) would violate the abstraction layer.
Before I submit a patch, is the concept of
krb5_generate_creds_with_keytab something that MIT and Heimdal would
accept? If so, a patch can be ready in a few hours.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20070102/21d25337/attachment.bin
More information about the krbdev