What's missing in fast-otp?

Linus Nordberg linus at nordu.net
Mon Jul 18 08:11:53 EDT 2011


I'm working on getting branch fast-otp of
https://github.com/ln5/krb5-anonsvn (implementing
draft-ietf-krb-wg-otp-preauth) good enough for inclusion in MIT's repo.

What issues are there?

- Using two new krbExtraInfo types

  #define KRB5_TL_OTP_ID                  0x0800 /* OTP token id */
  #define KRB5_TL_OTP_BLOB                0x1000 /* OTP binary blob */

  Greg on IRC: "It's on our list to create a more scalable extension for
  principal entries.  (Possibly just a tl-data type containing a
  string/string mapping.)"

- Dependencies -- we depend on libykclient and libcurl

  Is this acceptable?  With a configure option `--enable-plugin-otp'?

- Code quality -- a review would be valuable

- Verification of KDC nonce -- trying to find out if the PA-FX-COOKIE
  can help here.

- Standard compliance and completeness -- we're far from implementing
  all of draft-ietf-krb-wg-otp-preauth

- Test suite -- what's the preferred way of adding tests for this?


More information about the krbdev mailing list