krb5_pac_verify and server key enctype extraction

Luke Howard lukeh at
Mon Jul 20 12:09:19 EDT 2009

On 20/07/2009, at 5:53 PM, Natalie Li wrote:

> Sam Hartman wrote:
>> I think we may want an interface to expose a verified PAC for 1.8.
>> Possibly something at least nominally compatible with the naming work
>> going on in kitten or that can be extended to that interface.  I'm
>> definitely not talking about name attributes for each pac subfield,
>> simply one attribute for the verified pac as a whole, which is not
>> present if the pac fails to verify.
> That's a good idea. I believe the acceptor should compute and verify  
> the PAC checksum as part of the KRB_AP_REQ handling. The application  
> shouldn't have to worry about PAC verification.
> Has that be worked on? How can I track that work?

It has not been worked on. I believe Heimdal does this. I did discuss  
it briefly was Sam, and I believe his comment was that one doesn't  
really want to do vendor specific stuff in gss_accept_sec_context().


-- Luke

More information about the krbdev mailing list