Exposing authentication indicators through libkrb5

Greg Hudson ghudson at mit.edu
Mon Feb 22 18:48:53 EST 2016

On 02/22/2016 06:06 PM, Matt Rogers wrote:
> After looking at it more my concern is that leading up to calling the verify 
> function (in rd_req_decoded_opt()) the key provided could be a subkey or a 
> service key from the keytab, and we need to make sure we're only using the 
> service key to check the svc-verifier, without unnecessary trips to the keytab.  

The keyblock we pass to krb5int_authdata_verify() is &decrypt_key, which
is always the key used to decrypt the ticket.  Perhaps the presence of
the user-to-user case is confusing because of the way it pulls a
keyblock from the auth context, but it's still setting decrypt_key to
the ticket encryption key.

> I submitted PR #410 for two public API functions. They will first be needed 
> for a check_policy_tgs KDB method, but then also for the authdata plugin.
> Thanks again.

I'm not sure it's feasible to do auth indicator verification inside
check_policy_tgs, and these APIs don't seem to be applicable to that
task.  The KDC needs to use the KDC verifier to verify the CAMMAC, not
the service verifier, and check_policy_tgs does not receive either the
ticket decryption key or the service-realm local TGT entry.

Nathaniel brought this part of things up on IRC.  I gave an alternative
suggestion then, but I'm not sure it was read since I sent it late in
the day.  See the last two things here:


More information about the krbdev mailing list