Session key extraction

Sam Hartman hartmans at MIT.EDU
Mon Dec 22 15:39:08 EST 2008

Luke's changes introduce a mechanism independent API for extracting the session key from a context.

Windows has this feature where you can get a session key from any SSPI context.    According to Luke, some windows protocols such as SMB need this.

I'm very uncomfortable with this concept: using a session key without
knowing what kind of key it is or what structure it is seems kind of

I don't know of anyone who plans to use this feature with MIT Kerberos
right now.  So, my approach is to pull any public exposure of the
feature and add a comment encouraging people who want to use it to
negotiate an interface with us.  I think if we're going to do this, we
need to commit to being willing to add an interface in a point
(Luke, if you know of users now, we could short circuit and start that discussion now.)

Examples of interfaces I'd be more comfortable with:

* Get the Windows session key from this context.  I.E. defined only for mechanisms used on windows
and defined to be the thing SSPI would give you.

* Something like lucid_context that is not mechanism independent.

Does this make sense to people?

More information about the krbdev mailing list