Session key extraction
Andrew Bartlett
abartlet at samba.org
Mon Jan 5 16:43:52 EST 2009
On Mon, 2009-01-05 at 18:11 +1100, Luke Howard wrote:
> On 05/01/2009, at 5:17 PM, Andrew Bartlett wrote:
>
> > On Tue, 2008-12-23 at 10:10 +1100, Luke Howard wrote:
> >>> I don't know of anyone who plans to use this feature with MIT
> >>> Kerberos
> >>> right now. So, my approach is to pull any public exposure of the
> >>> feature and add a comment encouraging people who want to use it to
> >>> negotiate an interface with us. I think if we're going to do
> >>> this, we
> >>> need to commit to being willing to add an interface in a point
> >>> release.
> >>> (Luke, if you know of users now, we could short circuit and start
> >>> that discussion now.)
> >>
> >>
> >> Microsoft protocols that need this include SMB and DRS (replication
> >> service). I believe Samba, Novell, and Likewise will require this.
> >>
> >> Presently there is no explicit API for this, it is indirected through
> >> gss_inquire_sec_context_by_oid() with GSS_C_INQ_SESSION_KEY.
> >
> > Indeed. Keeping this, and keeping this as close to the Heimdal API as
> > possible is critical for a future where Samba (4 in particular) can
> > use
> > either MIT Kerberos or Heimdal.
>
> Well, Heimdal can implement GSS_C_INQ_SSPI_SESSION_KEY :-)
I do have to say, it looks like a nicer API.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20090106/aad4a7a1/attachment.bin
More information about the krbdev
mailing list