Issue in generating Authenticator Data in AP_REQ
Greg Hudson
ghudson at MIT.EDU
Wed Aug 29 14:27:49 EDT 2012
On 08/29/2012 12:48 PM, Sankar Das wrote:
> 1. I am trying to use GSS-API. I am not sure how the Authenticator data
> is generated for the AP-REQ embedded in negTokenInit part of GSS-API. Is
> it generated in the same way as in TGS-REQ using the same key?
An AP-REQ used in a GSSAPI krb5 initiator token needs to have a special
checksum (see RFC 4121 section 4.1.1). Also, the authenticator should
be encrypted with key usage 11 instead of 7 (as key usage 7 is only used
for TGS-REQ authenticators).
> 2. Is there any example program in MIT Kerberos source code distribution
> for the same?
Our code to generate AP-REQs is in lib/krb5/krb/mk_req.c. Our code to
make GSSAPI krb5 initiator tokens is in
lib/gssapi/krb5/init_sec_context.c. Our code to do SPNEGO is in
lib/gssapi/spnego/spnego_mech.c.
More information about the krbdev
mailing list