[16069] in Kerberos_V5_Development
Proposal: drop support for pa-sam-challenge and pa-sam-response from
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Aug 18 16:28:10 2010
From: Sam Hartman <hartmans@mit.edu>
To: krbdev@mit.edu
Date: Wed, 18 Aug 2010 16:28:00 -0400
Message-ID: <tsltymrd5tb.fsf@mit.edu>
MIME-Version: 1.0
Cc: kenh@cmf.nrl.navy.mil
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
There are two old versions of OTP-base preauth protocols floating around
nominally supported by MIT krb5. The first is pa-sam-challenge
(draft-ietf-krb-wg-sam-00) and the second is pa-sam-challenge-2
(draft-ietf-krb-wg-sam-03).
In r14939 in 2002, Ken Hornstein added support for SAM2 to the client.
The KDC only has support for SAM not SAM2. I'm going to be writing a
project proposal for limited SAM2 support in the KDC based on ports of
other patches originally written by Ken.
I have reasonably high confidence that people are not using the existing
SAM support in the KDC. It is fairly weak, it only supports some very
old tokens (SNK4) and we don't document how to use it.
I'd really like to wrip it out. I don't think the code is particularly
supportable; reading it has made me concerned about the potential for
memory leaks and in some cases security issues.
This proposal will create somewhat of an issue if people are using that
code. If people are worried about interop, we could leave the SAM1 code
in the client and only remove it from the KDC.
--Sam
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
