[39254] in Kerberos
Re: Kerberos PAC decoding support
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Thu Aug 24 13:06:16 2023
Message-ID: <202308241701.37OH1sRS015050@hedwig.cmf.nrl.navy.mil>
To: Ondrej Valousek <ondrej.valousek.xm@renesas.com>
cc: "kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <TYCPR01MB118471D443B42094302C80091D91DA@TYCPR01MB11847.jpnprd01.prod.outlook.com>
MIME-Version: 1.0
Date: Thu, 24 Aug 2023 13:01:54 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>I am wondering if it is reasonable to request the MIT library to
>support PAC decoding (possibly in form of Named Attributes) so that the
>information there could be used in calling application, I.e.:
>
>https://github.com/gssapi/mod_auth_gssapi/issues/288#issuecomment-1690541858
>
>Is something like this reasonable? If yes, is this support planned in
>forthcoming releases of MIT Kerberos library?
I _think_ that's already there? If you're using the GSSAPI you already
have support for named attribute retrieval, as detailed here:
https://web.mit.edu/kerberos/krb5-devel/doc/appdev/gssapi.html
I know there is already extensive PAC decoding and validation in later
MIT Kerberos versions. But I would caution you that like Simo mentioned
I think all you get is SIDs in the PAC and you have to do some more work
to turn that into something useful.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
