Making use of authdata with a custom plugin
Jeffrey Hutzelman
jhutz at cmu.edu
Tue Feb 2 23:36:46 EST 2010
--On Tuesday, February 02, 2010 02:10:30 PM -0500 Jeff Blaine
<jblaine at kickflop.net> wrote:
> We're in the discovery phase of implementing some research
> stuff that will make use of authdata
Please bear in mind that Kerberos is not only a software, but also a
standardized protocol with many implementations which must interoperate.
The numbers which identify AD types are part of that protocol, and are a
managed namespace. In specifying the current Kerberos protocol (RFC4120),
the IETF's Kerberos Working Group explicitly chose not to allocate
private-use numbers in this space, due to the potentially serious security
implications if authorization data with such a type were to become visible
to some server which assigned a different meaning to the type.
I encourage you to contact the Kerberos WG to obtain AD type numbers,
rather than picking whatever appear to be the next available numbers in
whatever source you're looking at.
-- Jeff
More information about the krbdev
mailing list