krb5_pac_verify and server key enctype extraction
lukeh at padl.com
Mon Jul 20 12:09:19 EDT 2009
On 20/07/2009, at 5:53 PM, Natalie Li wrote:
> Sam Hartman wrote:
>> I think we may want an interface to expose a verified PAC for 1.8.
>> Possibly something at least nominally compatible with the naming work
>> going on in kitten or that can be extended to that interface. I'm
>> definitely not talking about name attributes for each pac subfield,
>> simply one attribute for the verified pac as a whole, which is not
>> present if the pac fails to verify.
> That's a good idea. I believe the acceptor should compute and verify
> the PAC checksum as part of the KRB_AP_REQ handling. The application
> shouldn't have to worry about PAC verification.
> Has that be worked on? How can I track that work?
It has not been worked on. I believe Heimdal does this. I did discuss
it briefly was Sam, and I believe his comment was that one doesn't
really want to do vendor specific stuff in gss_accept_sec_context().
More information about the krbdev