Making use of authdata with a custom plugin

Jeffrey Hutzelman jhutz at
Tue Feb 2 23:36:46 EST 2010

--On Tuesday, February 02, 2010 02:10:30 PM -0500 Jeff Blaine 
<jblaine at> wrote:

> We're in the discovery phase of implementing some research
> stuff that will make use of authdata

Please bear in mind that Kerberos is not only a software, but also a 
standardized protocol with many implementations which must interoperate. 
The numbers which identify AD types are part of that protocol, and are a 
managed namespace.  In specifying the current Kerberos protocol (RFC4120), 
the IETF's Kerberos Working Group explicitly chose not to allocate 
private-use numbers in this space, due to the potentially serious security 
implications if authorization data with such a type were to become visible 
to some server which assigned a different meaning to the type.

I encourage you to contact the Kerberos WG to obtain AD type numbers, 
rather than picking whatever appear to be the next available numbers in 
whatever source you're looking at.

-- Jeff

More information about the krbdev mailing list