CIFS and the krb5 PRF
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CIFS and the krb5 PRF
I'm not a kerberos or a GSSAPI guru, simply one who has to clean up
various bits of the puzzle that has been placed in front of me regarding
the use of GSSAPI on CIFS and other Samba-implemented protocols.
In particular, I'm concerned to try and get out of the GSSAPI game, and
would some day love to put Samba back outside the 'implements some
variant of GSSAPI' box.
Currently, Samba implements a very shoddy GSSAPI wrapping, as well as
SPNEGO, partly because it requires access to the raw Kerberos session
key for use particularly in the CIFS protocol.
CIFS uses the Kerberos session key for encrypting specific data portions
on DCE/RPC named pipes, as well as to key the SMB signing system.
My question is this (because I can't make heads or tails of the draft,
sorry): Is the proposed PRF compatible with microsoft's existing use in
this area, or will Samba forever-more be making calls to
krb5_auth_con_getremotesubkey(context, auth_context, &skey) and
krb5_auth_con_getlocalsubkey(context, auth_context, &skey)?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________
Kitten mailing list
Kitten at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/kitten
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
