Session key extraction
Sam Hartman
hartmans at MIT.EDU
Mon Dec 22 15:39:08 EST 2008
Luke's changes introduce a mechanism independent API for extracting the session key from a context.
Windows has this feature where you can get a session key from any SSPI context. According to Luke, some windows protocols such as SMB need this.
I'm very uncomfortable with this concept: using a session key without
knowing what kind of key it is or what structure it is seems kind of
dangerous.
I don't know of anyone who plans to use this feature with MIT Kerberos
right now. So, my approach is to pull any public exposure of the
feature and add a comment encouraging people who want to use it to
negotiate an interface with us. I think if we're going to do this, we
need to commit to being willing to add an interface in a point
release.
(Luke, if you know of users now, we could short circuit and start that discussion now.)
Examples of interfaces I'd be more comfortable with:
* Get the Windows session key from this context. I.E. defined only for mechanisms used on windows
and defined to be the thing SSPI would give you.
* Something like lucid_context that is not mechanism independent.
Does this make sense to people?
More information about the krbdev
mailing list