Proposal: drop support for pa-sam-challenge and pa-sam-response from KDC and client

Sam Hartman hartmans at MIT.EDU
Wed Aug 18 16:28:00 EDT 2010

There are two old versions of OTP-base preauth protocols floating around
nominally supported by MIT krb5.  The first is pa-sam-challenge
(draft-ietf-krb-wg-sam-00) and the second is pa-sam-challenge-2

In r14939 in 2002, Ken Hornstein added support for SAM2 to the client.

The KDC only has support for SAM not SAM2.  I'm going to be writing a
project proposal for limited SAM2 support in the KDC based on ports of
other patches originally written by Ken.

I have reasonably high confidence that people are not using the existing
SAM support in the KDC.  It is fairly weak, it only supports some very
old tokens (SNK4) and we don't document how to use it.

I'd really like to wrip it out.  I don't think the code is particularly
supportable; reading it has made me concerned about the potential for
memory leaks and in some cases security issues.

This proposal will create somewhat of an issue if people are using that
code.  If people are worried about interop, we could leave the SAM1 code
in the client and only remove it from the KDC.


More information about the krbdev mailing list