Proposal: drop support for pa-sam-challenge and pa-sam-response from KDC and client

Jeffrey Altman jaltman at
Wed Aug 18 17:13:01 EDT 2010

On 8/18/2010 4:28 PM, Sam Hartman wrote:
> There are two old versions of OTP-base preauth protocols floating around
> nominally supported by MIT krb5.  The first is pa-sam-challenge
> (draft-ietf-krb-wg-sam-00) and the second is pa-sam-challenge-2
> (draft-ietf-krb-wg-sam-03).
> In r14939 in 2002, Ken Hornstein added support for SAM2 to the client.
> The KDC only has support for SAM not SAM2.  I'm going to be writing a
> project proposal for limited SAM2 support in the KDC based on ports of
> other patches originally written by Ken.
> I have reasonably high confidence that people are not using the existing
> SAM support in the KDC.  It is fairly weak, it only supports some very
> old tokens (SNK4) and we don't document how to use it.
> I'd really like to wrip it out.  I don't think the code is particularly
> supportable; reading it has made me concerned about the potential for
> memory leaks and in some cases security issues.
> This proposal will create somewhat of an issue if people are using that
> code.  If people are worried about interop, we could leave the SAM1 code
> in the client and only remove it from the KDC.
> --Sam

There are sites that do rely on this code but to the best of my
knowledge they are all still running 1.4.x and the likelihood of them
moving to something newer while continuing to make use of
pa-sam-challenge-* is unlikely.  I am in favor of removing this

Jeffrey Altman

More information about the krbdev mailing list