| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: Greg Hudson <ghudson@mit.edu> To: Jeff Blaine <jblaine@kickflop.net> In-Reply-To: <4BA3C647.9050303@kickflop.net> Date: Sat, 20 Mar 2010 12:51:56 -0400 Message-ID: <1269103916.7493.290.camel@ray> Mime-Version: 1.0 Cc: "krbdev@mit.edu" <krbdev@mit.edu> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: krbdev-bounces@mit.edu On Fri, 2010-03-19 at 14:45 -0400, Jeff Blaine wrote: > * kaccessor.encode_enc_ts(&ts, &encoded_ts); > > Where is encode_enc_ts() defined? I'm failing to find it. In lib/krb5/os/accessor.c, the field encode_enc_ts is set to a pointer to the function encode_krb5_pa_enc_ts, which is defined in lib/krb5/asn.1/asn1_k_encode.c using a macro. > * Am I mistaken that there are 2 encrypted challenge > preauth implementations, one in plugins/preauth and > one in lib/krb5/krb/preauth*.c ? preauth.c is only used by the deprecated krb5_get_in_tkt function and will go away at some point. preauth2.c contains implementations of SAM challenge, which I believe is a hardware preauth mechanism, and encrypted timestamp, which is similar in concept to encrypted challenge but isn't a FAST factor. > * Is the client's IP address available in a preauth plugin? It doesn't look like it. Keep in mind that the client can't reliably know what address the KDC will see its request as originating from, because of NATs, so if you're thinking of cryptographically binding the preauth request to the client IP address, that wouldn't work terribly well in many networks. _______________________________________________ krbdev mailing list krbdev@mit.edu https://mailman.mit.edu/mailman/listinfo/krbdev
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |