krb5_pac_verify and server key enctype extraction

Love Hörnquist Åstrand lha at
Mon Jul 20 12:26:55 EDT 2009

>>> I think we may want an interface to expose a verified PAC for 1.8.
>>> Possibly something at least nominally compatible with the naming  
>>> work
>>> going on in kitten or that can be extended to that interface.  I'm
>>> definitely not talking about name attributes for each pac subfield,
>>> simply one attribute for the verified pac as a whole, which is not
>>> present if the pac fails to verify.
>> That's a good idea. I believe the acceptor should compute and verify
>> the PAC checksum as part of the KRB_AP_REQ handling. The application
>> shouldn't have to worry about PAC verification.
>> Has that be worked on? How can I track that work?
> It has not been worked on. I believe Heimdal does this. I did discuss
> it briefly was Sam, and I believe his comment was that one doesn't
> really want to do vendor specific stuff in gss_accept_sec_context().

If you want to avoid adding interfaces that expose key data/context  
from the gss-api layer you have to checking it in krb5_rd_req/gss_ISC.

This is what Heimdal do.


More information about the krbdev mailing list