Proposal: drop support for pa-sam-challenge and pa-sam-response from KDC and client

Will Fiveash will.fiveash at
Thu Aug 19 14:37:51 EDT 2010

On Wed, Aug 18, 2010 at 04:28:00PM -0400, Sam Hartman wrote:
> There are two old versions of OTP-base preauth protocols floating around
> nominally supported by MIT krb5.  The first is pa-sam-challenge
> (draft-ietf-krb-wg-sam-00) and the second is pa-sam-challenge-2
> (draft-ietf-krb-wg-sam-03).
> In r14939 in 2002, Ken Hornstein added support for SAM2 to the client.
> The KDC only has support for SAM not SAM2.  I'm going to be writing a
> project proposal for limited SAM2 support in the KDC based on ports of
> other patches originally written by Ken.
> I have reasonably high confidence that people are not using the existing
> SAM support in the KDC.  It is fairly weak, it only supports some very
> old tokens (SNK4) and we don't document how to use it.
> I'd really like to wrip it out.  I don't think the code is particularly
> supportable; reading it has made me concerned about the potential for
> memory leaks and in some cases security issues.
> This proposal will create somewhat of an issue if people are using that
> code.  If people are worried about interop, we could leave the SAM1 code
> in the client and only remove it from the KDC.

Solaris only supports krbv5 and we don't document use of this preauth
method.  I say remove as much of the cruft as you can without causing
others too much pain.

Will Fiveash
Sent using mutt, a sweet text based e-mail app:

More information about the krbdev mailing list