Session key extraction

Luke Howard lukeh at
Mon Jan 5 02:11:38 EST 2009

On 05/01/2009, at 5:17 PM, Andrew Bartlett wrote:

> On Tue, 2008-12-23 at 10:10 +1100, Luke Howard wrote:
>>> I don't know of anyone who plans to use this feature with MIT  
>>> Kerberos
>>> right now.  So, my approach is to pull any public exposure of the
>>> feature and add a comment encouraging people who want to use it to
>>> negotiate an interface with us.  I think if we're going to do  
>>> this, we
>>> need to commit to being willing to add an interface in a point
>>> release.
>>> (Luke, if you know of users now, we could short circuit and start
>>> that discussion now.)
>> Microsoft protocols that need this include SMB and DRS (replication
>> service). I believe Samba, Novell, and Likewise will require this.
>> Presently there is no explicit API for this, it is indirected through
>> gss_inquire_sec_context_by_oid() with GSS_C_INQ_SESSION_KEY.
> Indeed.  Keeping this, and keeping this as close to the Heimdal API as
> possible is critical for a future where Samba (4 in particular) can  
> use
> either MIT Kerberos or Heimdal.

Well, Heimdal can implement GSS_C_INQ_SSPI_SESSION_KEY :-)

-- Luke

More information about the krbdev mailing list