preauth (I'm a Roomba in a 2'x2' room)
ghudson at MIT.EDU
Wed Apr 28 08:51:50 EDT 2010
On Tue, 2010-04-27 at 22:53 -0400, Jeff Blaine wrote:
> I still can't make any sense of what is going on here.
> What is pa type 95? 85? Neither are mentioned in
> src/include/krb5/krb5.h. Does this make any sense to
I'm not sure why the values are being displayed in hex, but if you
convert back to decimal, 0x85 is 133 and 0x95 is 149.
133 is KRB5_PADATA_FX_COOKIE, which is described in
doesn't play much of a role in any existing preauth interactions; for
now, we just send a constant string ("MIT") and the client sends it back
to the KDC on subsequent queries within a conversation.
149 is KRB5_ENCPADATA_REQ_ENC_PA_REP. Clients specify this to indicate
that they understand encrypted padata--an additional field in the ASN.1
encoding of a KDC request.
Neither of those are actual preauth mechanisms, so it's normal that
find_pa_system() wouldn't find them. (I think it would be possible to
treat 149 as an "informational" preauth system, but we don't; instead we
use krb5int_find_pa_data() to search for it inside
More information about the krbdev