krb5_pac_verify and server key enctype extraction
Love Hörnquist Åstrand
lha at apple.com
Tue Aug 4 13:57:24 EDT 2009
> Love: did Heimdal always verify the PAC in gss_accept_sec_context()?
> This is an issue for MIT, because 1.7 we shipped APIs for extracting
> authorisation data. An application unaware of which GSS-API
> implementation it is using cannot be sure whether the PAC was verified
> after calling gss_accept_sec_context().
Heimdal with extracting API have always verifed the PAC, this so samba
didn't need to do this work. I grew tired of poking more and more
holes though gss-api to expose kerberos inner workings that PAC and
other things depends on.
More information about the krbdev