Proposal: drop support for pa-sam-challenge and pa-sam-response from KDC and client
Will Fiveash
will.fiveash at oracle.com
Thu Aug 19 14:37:51 EDT 2010
On Wed, Aug 18, 2010 at 04:28:00PM -0400, Sam Hartman wrote:
>
> There are two old versions of OTP-base preauth protocols floating around
> nominally supported by MIT krb5. The first is pa-sam-challenge
> (draft-ietf-krb-wg-sam-00) and the second is pa-sam-challenge-2
> (draft-ietf-krb-wg-sam-03).
>
>
> In r14939 in 2002, Ken Hornstein added support for SAM2 to the client.
>
>
> The KDC only has support for SAM not SAM2. I'm going to be writing a
> project proposal for limited SAM2 support in the KDC based on ports of
> other patches originally written by Ken.
>
> I have reasonably high confidence that people are not using the existing
> SAM support in the KDC. It is fairly weak, it only supports some very
> old tokens (SNK4) and we don't document how to use it.
>
> I'd really like to wrip it out. I don't think the code is particularly
> supportable; reading it has made me concerned about the potential for
> memory leaks and in some cases security issues.
>
>
> This proposal will create somewhat of an issue if people are using that
> code. If people are worried about interop, we could leave the SAM1 code
> in the client and only remove it from the KDC.
Solaris only supports krbv5 and we don't document use of this preauth
method. I say remove as much of the cruft as you can without causing
others too much pain.
--
Will Fiveash
Oracle
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/
More information about the krbdev
mailing list