krb5_pac_verify and server key enctype extraction
Luke Howard
lukeh at padl.com
Mon Jul 20 12:03:19 EDT 2009
On 20/07/2009, at 5:41 PM, Natalie Li wrote:
> Luke Howard wrote:
>>>>
>>> Just to clarify, we're interested in the enctype associated with
>>> the server's long-term key that was used to decrypt the krb ticket
>>> carried in the KRB_AP_REQ, not the session key. Do we have an API
>>> to extract that information from GSS context?
>>
>> Not that I'm aware of. You can enumerate the keytab, looking for a
>> key with a mandatory checksum type that matches that in the PAC.
>>
>> -- Luke
> Yes, we do something similar to your above suggestion for now.
> Thanks for confirming that there isn't any API for extracting tik
> enctype.
Yeah, it took me a while to realise that that was I had always done.
But yes, we should do what Sam suggests for 1.8.
-- Luke
More information about the krbdev
mailing list