[16070] in Kerberos_V5_Development
Re: Proposal: drop support for pa-sam-challenge and pa-sam-response
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Wed Aug 18 17:13:50 2010
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: krbdev@mit.edu
Message-ID: <4C6C4CDD.4030504@secure-endpoints.com>
Date: Wed, 18 Aug 2010 17:13:01 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: krbdev@mit.edu
In-Reply-To: <tsltymrd5tb.fsf@mit.edu>
Reply-To: jaltman@secure-endpoints.com
Content-Type: multipart/mixed; boundary="===============0609558177=="
Errors-To: krbdev-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============0609558177==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms020804020801000603050509"
This is a cryptographically signed message in MIME format.
--------------ms020804020801000603050509
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 8/18/2010 4:28 PM, Sam Hartman wrote:
>=20
> There are two old versions of OTP-base preauth protocols floating aroun=
d
> nominally supported by MIT krb5. The first is pa-sam-challenge
> (draft-ietf-krb-wg-sam-00) and the second is pa-sam-challenge-2
> (draft-ietf-krb-wg-sam-03).
>=20
>=20
> In r14939 in 2002, Ken Hornstein added support for SAM2 to the client.
>=20
>=20
> The KDC only has support for SAM not SAM2. I'm going to be writing a
> project proposal for limited SAM2 support in the KDC based on ports of
> other patches originally written by Ken.
>=20
> I have reasonably high confidence that people are not using the existin=
g
> SAM support in the KDC. It is fairly weak, it only supports some very
> old tokens (SNK4) and we don't document how to use it.
>=20
> I'd really like to wrip it out. I don't think the code is particularly=
> supportable; reading it has made me concerned about the potential for
> memory leaks and in some cases security issues.
>=20
>=20
> This proposal will create somewhat of an issue if people are using that=
> code. If people are worried about interop, we could leave the SAM1 cod=
e
> in the client and only remove it from the KDC.
>=20
> --Sam
There are sites that do rely on this code but to the best of my
knowledge they are all still running 1.4.x and the likelihood of them
moving to something newer while continuing to make use of
pa-sam-challenge-* is unlikely. I am in favor of removing this
functionality.
Jeffrey Altman
--------------ms020804020801000603050509--
--===============0609558177==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============0609558177==--
