Session key extraction
lukeh at padl.com
Mon Jan 5 02:11:38 EST 2009
On 05/01/2009, at 5:17 PM, Andrew Bartlett wrote:
> On Tue, 2008-12-23 at 10:10 +1100, Luke Howard wrote:
>>> I don't know of anyone who plans to use this feature with MIT
>>> right now. So, my approach is to pull any public exposure of the
>>> feature and add a comment encouraging people who want to use it to
>>> negotiate an interface with us. I think if we're going to do
>>> this, we
>>> need to commit to being willing to add an interface in a point
>>> (Luke, if you know of users now, we could short circuit and start
>>> that discussion now.)
>> Microsoft protocols that need this include SMB and DRS (replication
>> service). I believe Samba, Novell, and Likewise will require this.
>> Presently there is no explicit API for this, it is indirected through
>> gss_inquire_sec_context_by_oid() with GSS_C_INQ_SESSION_KEY.
> Indeed. Keeping this, and keeping this as close to the Heimdal API as
> possible is critical for a future where Samba (4 in particular) can
> either MIT Kerberos or Heimdal.
Well, Heimdal can implement GSS_C_INQ_SSPI_SESSION_KEY :-)
More information about the krbdev