preauth (I'm a Roomba in a 2'x2' room)

Jeff Blaine jblaine at
Wed Apr 28 10:41:44 EDT 2010

On 4/28/2010 8:51 AM, Greg Hudson wrote:
> On Tue, 2010-04-27 at 22:53 -0400, Jeff Blaine wrote:
>> I still can't make any sense of what is going on here.
>> What is pa type 95?  85?  Neither are mentioned in
>> src/include/krb5/krb5.h.  Does this make any sense to
>> anyone?
> I'm not sure why the values are being displayed in hex, but if you
> convert back to decimal, 0x85 is 133 and 0x95 is 149.

Oops.  Thanks.

I couldn't make sense of the need for that either and of course
there is no reasoning comment in the code.  For my additional
debug logging of pa 'type', I just carried over the existing

> 133 is KRB5_PADATA_FX_COOKIE, which is described in
>  It
> doesn't play much of a role in any existing preauth interactions; for
> now, we just send a constant string ("MIT") and the client sends it back
> to the KDC on subsequent queries within a conversation.
> 149 is KRB5_ENCPADATA_REQ_ENC_PA_REP.  Clients specify this to indicate
> that they understand encrypted padata--an additional field in the ASN.1
> encoding of a KDC request.
> Neither of those are actual preauth mechanisms, so it's normal that
> find_pa_system() wouldn't find them.  (I think it would be possible to
> treat 149 as an "informational" preauth system, but we don't; instead we
> use krb5int_find_pa_data() to search for it inside
> kdc_handle_protected_negotiation().)

Thanks Greg.  I intend to re-read draft-ietf-krb-wg-preauth-framework-16

More information about the krbdev mailing list