[16088] in Kerberos_V5_Development
Re: Proposal: drop support for pa-sam-challenge and pa-sam-response
daemon@ATHENA.MIT.EDU (Will Fiveash)
Thu Aug 19 14:38:33 2010
Date: Thu, 19 Aug 2010 13:37:51 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: Sam Hartman <hartmans@mit.edu>
Message-ID: <20100819183751.GA13650@sun.com>
Mail-Followup-To: Sam Hartman <hartmans@mit.edu>, krbdev@mit.edu,
kenh@cmf.nrl.navy.mil
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <tsltymrd5tb.fsf@mit.edu>
Cc: kenh@cmf.nrl.navy.mil, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, Aug 18, 2010 at 04:28:00PM -0400, Sam Hartman wrote:
>
> There are two old versions of OTP-base preauth protocols floating around
> nominally supported by MIT krb5. The first is pa-sam-challenge
> (draft-ietf-krb-wg-sam-00) and the second is pa-sam-challenge-2
> (draft-ietf-krb-wg-sam-03).
>
>
> In r14939 in 2002, Ken Hornstein added support for SAM2 to the client.
>
>
> The KDC only has support for SAM not SAM2. I'm going to be writing a
> project proposal for limited SAM2 support in the KDC based on ports of
> other patches originally written by Ken.
>
> I have reasonably high confidence that people are not using the existing
> SAM support in the KDC. It is fairly weak, it only supports some very
> old tokens (SNK4) and we don't document how to use it.
>
> I'd really like to wrip it out. I don't think the code is particularly
> supportable; reading it has made me concerned about the potential for
> memory leaks and in some cases security issues.
>
>
> This proposal will create somewhat of an issue if people are using that
> code. If people are worried about interop, we could leave the SAM1 code
> in the client and only remove it from the KDC.
Solaris only supports krbv5 and we don't document use of this preauth
method. I say remove as much of the cruft as you can without causing
others too much pain.
--
Will Fiveash
Oracle
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet text based e-mail app: http://www.mutt.org/
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
