[15623] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: preauth code questions

daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Mar 20 12:52:02 2010

From: Greg Hudson <ghudson@mit.edu>
To: Jeff Blaine <jblaine@kickflop.net>
In-Reply-To: <4BA3C647.9050303@kickflop.net>
Date: Sat, 20 Mar 2010 12:51:56 -0400
Message-ID: <1269103916.7493.290.camel@ray>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On Fri, 2010-03-19 at 14:45 -0400, Jeff Blaine wrote:
> * kaccessor.encode_enc_ts(&ts, &encoded_ts);
> 
>    Where is encode_enc_ts() defined?  I'm failing to find it.

In lib/krb5/os/accessor.c, the field encode_enc_ts is set to a pointer
to the function encode_krb5_pa_enc_ts, which is defined in
lib/krb5/asn.1/asn1_k_encode.c using a macro.

> * Am I mistaken that there are 2 encrypted challenge
>    preauth implementations, one in plugins/preauth and
>    one in lib/krb5/krb/preauth*.c ?

preauth.c is only used by the deprecated krb5_get_in_tkt function and
will go away at some point.

preauth2.c contains implementations of SAM challenge, which I believe is
a hardware preauth mechanism, and encrypted timestamp, which is similar
in concept to encrypted challenge but isn't a FAST factor.

> * Is the client's IP address available in a preauth plugin?

It doesn't look like it.  Keep in mind that the client can't reliably
know what address the KDC will see its request as originating from,
because of NATs, so if you're thinking of cryptographically binding the
preauth request to the client IP address, that wouldn't work terribly
well in many networks.


_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post