Exposing authentication indicators through libkrb5

Matt Rogers mrogers at redhat.com
Wed Feb 17 10:06:33 EST 2016


In continuing the discussion about exposing AI data to GSSAPI name extension,
the AI authdata plugin will need to be able to acquire the raw authdata (after
extraction from a verified CAMMAC) with an indication that the contents were
authenticated. It seems that this processing will need to be done outside of the
plugin since it won't have access to the keys required to verify the CAMMAC.
What would be the correct way to have the CAMMAC pre-processed in order to
provide the plugin the raw authdata?

In addition to this, authind_extract() (which is currently private to the kdc
code) may need to be moved to libkrb5 so the plugin can handle the authdata.

Any input is appreciated.


Matt Rogers
Red Hat, Inc

More information about the krbdev mailing list