preauth code questions

Greg Hudson ghudson at MIT.EDU
Sat Mar 20 12:51:56 EDT 2010

On Fri, 2010-03-19 at 14:45 -0400, Jeff Blaine wrote:
> * kaccessor.encode_enc_ts(&ts, &encoded_ts);
>    Where is encode_enc_ts() defined?  I'm failing to find it.

In lib/krb5/os/accessor.c, the field encode_enc_ts is set to a pointer
to the function encode_krb5_pa_enc_ts, which is defined in
lib/krb5/asn.1/asn1_k_encode.c using a macro.

> * Am I mistaken that there are 2 encrypted challenge
>    preauth implementations, one in plugins/preauth and
>    one in lib/krb5/krb/preauth*.c ?

preauth.c is only used by the deprecated krb5_get_in_tkt function and
will go away at some point.

preauth2.c contains implementations of SAM challenge, which I believe is
a hardware preauth mechanism, and encrypted timestamp, which is similar
in concept to encrypted challenge but isn't a FAST factor.

> * Is the client's IP address available in a preauth plugin?

It doesn't look like it.  Keep in mind that the client can't reliably
know what address the KDC will see its request as originating from,
because of NATs, so if you're thinking of cryptographically binding the
preauth request to the client IP address, that wouldn't work terribly
well in many networks.

More information about the krbdev mailing list