[20503] in Kerberos_V5_Development
Message-Authenticator depending of request/response code
daemon@ATHENA.MIT.EDU (Julien Rische)
Tue Oct 1 11:50:34 2024
MIME-Version: 1.0
From: Julien Rische <jrische@redhat.com>
Date: Tue, 1 Oct 2024 17:50:02 +0200
Message-ID: <CAAATZON878N3HM_Ui5P3j5n3iJZyf=8yo87BKomiGoJSsQHS9A@mail.gmail.com>
To: freeradius-devel@lists.freeradius.org
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hello everyone,
We are currently working on implementing RADIUS Message-Authenticator for MIT
krb5[1] according to RFC2865[2] and draft-ietf-radext-deprecating-radius-03[3].
We are not sure about what packet codes we should generate and expect
Message-Authenticator to verify for. In draft-ietf-radext-deprecating-radius-03
we can read:
Section 5.2.1:
"Clients MUST add Message-Authenticator to all Access-Request packets."
Section 5.2.4:
"Servers MUST add Message-Authenticator as the first attribute in all
responses to Access-Request packets. That is, all Access-Accept,
Access-Reject, Access-Challenge, and Protocol-Error packets."
However, I see that the FreeRADIUS server seems to be generating
Message-Authenticators for additional packet codes[4]. We would like to enforce
the use of Message-Authenticator as much as possible, but we are not sure if it
is relevant for all packet codes.
Could you explain why this specific code set triggers Message-Authenticator
generation in the FreeRADIUS server? And do you have any recommendations about
the cases where we should generate Message-Authenticators to ensure
compatibility with FreeRADIUS?
Thank you in advance,
Julien Rische
Red Hat, Inc.
[1] https://github.com/krb5/krb5/pull/1370
[2] https://datatracker.ietf.org/doc/html/rfc2869
[3] https://datatracker.ietf.org/doc/html/draft-ietf-radext-deprecating-radius-03
[4] https://github.com/FreeRADIUS/freeradius-server/blob/4312a2df8e0829c87811f42da7591a852350c068/src/protocols/radius/base.c#L367-L386
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
