1. Forum
  2. USENET
  3. comp.protocols.kerberos

  • Re: Kerberos PAC decoding support

    From Ken Hornstein@kenh@cmf.nrl.navy.mil to Ondrej Valousek on Thu Aug 24 13:01:54 2023
    From Newsgroup: comp.protocols.kerberos

    I am wondering if it is reasonable to request the MIT library to
    support PAC decoding (possibly in form of Named Attributes) so that the >information there could be used in calling application, I.e.:

    https://github.com/gssapi/mod_auth_gssapi/issues/288#issuecomment-1690541858

    Is something like this reasonable? If yes, is this support planned in >forthcoming releases of MIT Kerberos library?

    I _think_ that's already there? If you're using the GSSAPI you already
    have support for named attribute retrieval, as detailed here:

    https://web.mit.edu/kerberos/krb5-devel/doc/appdev/gssapi.html

    I know there is already extensive PAC decoding and validation in later
    MIT Kerberos versions. But I would caution you that like Simo mentioned
    I think all you get is SIDs in the PAC and you have to do some more work
    to turn that into something useful.

    --Ken
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Greg Hudson@ghudson@mit.edu to kerberos@mit.edu on Thu Aug 24 13:15:32 2023
    From Newsgroup: comp.protocols.kerberos

    On 8/24/23 02:18, Ondrej Valousek wrote:
    I am wondering if it is reasonable to request the MIT library to support PAC decoding (possibly in form of Named Attributes) so that the information there could be used in calling application, I.e.:

    PAC buffers are available via these name attributes:

    urn:mspac: (for the whole PAC)
    urn:mspac:logon-info
    urn:mspac:credentials-info
    urn:mspac:server-checksum
    urn:mspac:privsvr-checksum
    urn:mspac:client-info
    urn:mspac:delegation-info
    urn:mspac:upn-dns-info

    libkrb5 doesn't do any NDR decoding, so that part has to be done by the application.
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Ondrej Valousek@ondrej.valousek.xm@renesas.com to kerberos@mit.edu on Mon Aug 28 07:00:59 2023
    From Newsgroup: comp.protocols.kerberos

    Great, thanks for the answer!

    --- Synchronet 3.21d-Linux NewsLink 1.2