krb5_pac_verify and server key enctype extraction

Natalie Li Natalie.Li at Sun.COM
Mon Jul 20 11:53:58 EDT 2009

Sam Hartman wrote:
> I think we may want an interface to expose a verified PAC for 1.8.
> Possibly something at least nominally compatible with the naming work
> going on in kitten or that can be extended to that interface.  I'm
> definitely not talking about name attributes for each pac subfield,
> simply one attribute for the verified pac as a whole, which is not
> present if the pac fails to verify.
That's a good idea. I believe the acceptor should compute and verify the 
PAC checksum as part of the KRB_AP_REQ handling. The application 
shouldn't have to worry about PAC verification.
Has that be worked on? How can I track that work?



More information about the krbdev mailing list