krb5_pac_verify and server key enctype extraction
Natalie.Li at Sun.COM
Mon Jul 20 11:53:58 EDT 2009
Sam Hartman wrote:
> I think we may want an interface to expose a verified PAC for 1.8.
> Possibly something at least nominally compatible with the naming work
> going on in kitten or that can be extended to that interface. I'm
> definitely not talking about name attributes for each pac subfield,
> simply one attribute for the verified pac as a whole, which is not
> present if the pac fails to verify.
That's a good idea. I believe the acceptor should compute and verify the
PAC checksum as part of the KRB_AP_REQ handling. The application
shouldn't have to worry about PAC verification.
Has that be worked on? How can I track that work?
More information about the krbdev