krb5_pac_verify and server key enctype extraction

Love Hörnquist Åstrand lha at
Tue Aug 4 13:57:24 EDT 2009

> Love: did Heimdal always verify the PAC in gss_accept_sec_context()?
> This is an issue for MIT, because 1.7 we shipped APIs for extracting
> authorisation data. An application unaware of which GSS-API
> implementation it is using cannot be sure whether the PAC was verified
> after calling gss_accept_sec_context().

Heimdal with extracting API have always verifed the PAC, this so samba  
didn't need to do this work. I grew tired of poking more and more  
holes though gss-api to expose kerberos inner workings that PAC and  
other things depends on.


More information about the krbdev mailing list