Session key extraction

Ken Raeburn raeburn at MIT.EDU
Mon Dec 22 18:02:57 EST 2008

On Dec 22, 2008, at 15:39, Sam Hartman wrote:
> Luke's changes introduce a mechanism independent API for extracting  
> the session key from a context.

> I'm very uncomfortable with this concept: using a session key without
> knowing what kind of key it is or what structure it is seems kind of
> dangerous.

Agreed, though I would hope it's used either as input to a hash or  
encryption function that wouldn't care about the structure; even if it  
is, though, using it for the application's own purpose and  
simultaneously using it within GSSAPI-type calls (including just  
session establishment) doesn't seem wise.  And Greg's got good points  
about the idea possibly not even being applicable in any reasonable  
way to some future mechanism.

> * Get the Windows session key from this context.  I.E. defined only  
> for mechanisms used on windows
> and defined to be the thing SSPI would give you.

This would make the purpose clear...

> * Something like lucid_context that is not mechanism independent.

I assume being mechanism-dependent is the main reason the lucid  
context support doesn't suffice for this now?


More information about the krbdev mailing list