Making use of authdata with a custom plugin
Jeff Blaine
jblaine at kickflop.net
Wed Feb 3 09:51:04 EST 2010
On 2/2/2010 11:36 PM, Jeffrey Hutzelman wrote:
> --On Tuesday, February 02, 2010 02:10:30 PM -0500 Jeff Blaine
> <jblaine at kickflop.net> wrote:
>
>> We're in the discovery phase of implementing some research
>> stuff that will make use of authdata
>
> Please bear in mind that Kerberos is not only a software, but also a
> standardized protocol with many implementations which must interoperate.
> The numbers which identify AD types are part of that protocol, and are a
> managed namespace. In specifying the current Kerberos protocol
> (RFC4120), the IETF's Kerberos Working Group explicitly chose not to
> allocate private-use numbers in this space, due to the potentially
> serious security implications if authorization data with such a type
> were to become visible to some server which assigned a different meaning
> to the type.
>
> I encourage you to contact the Kerberos WG to obtain AD type numbers,
> rather than picking whatever appear to be the next available numbers in
> whatever source you're looking at.
Thanks Jeff (and Luke in another response):
Should the code ever be extracted from our research testbed,
we surely will address that topic properly.
>
> -- Jeff
More information about the krbdev
mailing list