Session Key through GSS-API

Sam Hartman hartmans at
Tue Feb 28 16:50:56 EST 2023

>>>>> "Nico" == Nico Williams <nico at> writes:

    Nico> Wait, so Oracle uses the _ticket_'s session key as the session
    Nico> key for its security layer??

Yes, or at least this doesn't surprise me.

There's a tag in the old cvs repositories for a version of krb5 (pre
beta5)l that MIT shipped to Oracle.
I think they ended up going with some version of Cybersafe,
but their krb5 was old enough that subsession keys weren't really used.


More information about the krbdev mailing list