preauth (I'm a Roomba in a 2'x2' room)
Jeff Blaine
jblaine at kickflop.net
Wed Apr 28 10:41:44 EDT 2010
On 4/28/2010 8:51 AM, Greg Hudson wrote:
> On Tue, 2010-04-27 at 22:53 -0400, Jeff Blaine wrote:
>> I still can't make any sense of what is going on here.
>> What is pa type 95? 85? Neither are mentioned in
>> src/include/krb5/krb5.h. Does this make any sense to
>> anyone?
>
> I'm not sure why the values are being displayed in hex, but if you
> convert back to decimal, 0x85 is 133 and 0x95 is 149.
Oops. Thanks.
I couldn't make sense of the need for that either and of course
there is no reasoning comment in the code. For my additional
debug logging of pa 'type', I just carried over the existing
code/style...
> 133 is KRB5_PADATA_FX_COOKIE, which is described in
> http://tools.ietf.org/html/draft-ietf-krb-wg-preauth-framework-16. It
> doesn't play much of a role in any existing preauth interactions; for
> now, we just send a constant string ("MIT") and the client sends it back
> to the KDC on subsequent queries within a conversation.
>
> 149 is KRB5_ENCPADATA_REQ_ENC_PA_REP. Clients specify this to indicate
> that they understand encrypted padata--an additional field in the ASN.1
> encoding of a KDC request.
>
> Neither of those are actual preauth mechanisms, so it's normal that
> find_pa_system() wouldn't find them. (I think it would be possible to
> treat 149 as an "informational" preauth system, but we don't; instead we
> use krb5int_find_pa_data() to search for it inside
> kdc_handle_protected_negotiation().)
Thanks Greg. I intend to re-read draft-ietf-krb-wg-preauth-framework-16
today.
More information about the krbdev
mailing list