preauth (I'm a Roomba in a 2'x2' room)

[Greg Hudson]

On Tue, 2010-04-27 at 22:53 -0400, Jeff Blaine wrote:
> I still can't make any sense of what is going on here.
> What is pa type 95?  85?  Neither are mentioned in
> src/include/krb5/krb5.h.  Does this make any sense to
> anyone?

I'm not sure why the values are being displayed in hex, but if you
convert back to decimal, 0x85 is 133 and 0x95 is 149.

133 is KRB5_PADATA_FX_COOKIE, which is described in
http://tools.ietf.org/html/draft-ietf-krb-wg-preauth-framework-16.  It
doesn't play much of a role in any existing preauth interactions; for
now, we just send a constant string ("MIT") and the client sends it back
to the KDC on subsequent queries within a conversation.

149 is KRB5_ENCPADATA_REQ_ENC_PA_REP.  Clients specify this to indicate
that they understand encrypted padata--an additional field in the ASN.1
encoding of a KDC request.

Neither of those are actual preauth mechanisms, so it's normal that
find_pa_system() wouldn't find them.  (I think it would be possible to
treat 149 as an "informational" preauth system, but we don't; instead we
use krb5int_find_pa_data() to search for it inside
kdc_handle_protected_negotiation().)