Forum: >>> Magnum BBS <<<

Dark
Log in

Username Password

Re: Kerberos PAC decoding support

From Ken Hornstein@21:1/5 to Ondrej Valousek on Thu Aug 24 13:01:54 2023

Copy: kerberos@mit.edu (kerberos@mit.edu)

I am wondering if it is reasonable to request the MIT library to
support PAC decoding (possibly in form of Named Attributes) so that the >information there could be used in calling application, I.e.:

https://github.com/gssapi/mod_auth_gssapi/issues/288#issuecomment-1690541858

Is something like this reasonable? If yes, is this support planned in >forthcoming releases of MIT Kerberos library?

I _think_ that's already there? If you're using the GSSAPI you already
have support for named attribute retrieval, as detailed here:

https://web.mit.edu/kerberos/krb5-devel/doc/appdev/gssapi.html

I know there is already extensive PAC decoding and validation in later
MIT Kerberos versions. But I would caution you that like Simo mentioned
I think all you get is SIDs in the PAC and you have to do some more work
to turn that into something useful.

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Ondrej Valousek@21:1/5 to All on Thu Aug 24 06:18:10 2023

Hi List,

I am wondering if it is reasonable to request the MIT library to support PAC decoding (possibly in form of Named Attributes) so that the information there could be used in calling application, I.e.:

https://github.com/gssapi/mod_auth_gssapi/issues/288#issuecomment-1690541858

Is something like this reasonable? If yes, is this support planned in forthcoming releases of MIT Kerberos library?

Thanks.
Ond�ej

Zasl�no z Outlooku pro Android<https://aka.ms/AAb9ysg>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Greg Hudson@21:1/5 to Ondrej Valousek on Thu Aug 24 13:15:32 2023

To: kerberos@mit.edu (kerberos@mit.edu)

On 8/24/23 02:18, Ondrej Valousek wrote:

I am wondering if it is reasonable to request the MIT library to support PAC decoding (possibly in form of Named Attributes) so that the information there could be used in calling application, I.e.:

PAC buffers are available via these name attributes:

urn:mspac: (for the whole PAC)
urn:mspac:logon-info
urn:mspac:credentials-info
urn:mspac:server-checksum
urn:mspac:privsvr-checksum
urn:mspac:client-info
urn:mspac:delegation-info
urn:mspac:upn-dns-info

libkrb5 doesn't do any NDR decoding, so that part has to be done by the application.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Ondrej Valousek@21:1/5 to Greg Hudson on Mon Aug 28 07:00:59 2023

To: kerberos@mit.edu (kerberos@mit.edu)

Great, thanks for the answer!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Plume
  Sun Sep 14 09:34:52 2025
  from Uk via Raw
- Gretchiie
  Sun Sep 14 06:07:30 2025
  from Derry, Nh via Telnet
- Thlc
  Sat Sep 13 17:11:34 2025
  from Rognac, France via Telnet
- Thlc
  Sat Sep 13 17:04:03 2025
  from Rognac, France via Telnet
- Thlc
  Sat Sep 13 16:32:19 2025
  from Rognac, France via SSH
- Thlc
  Sat Sep 13 15:41:11 2025
  from Rognac, France via SSH
- Thlc
  Sat Sep 13 07:56:03 2025
  from Rognac, France via SSH
- Gretchiie
  Sat Sep 13 07:22:10 2025
  from Derry, Nh via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	546
Nodes:	16 (0 / 16)
Uptime:	161:33:56
Calls:	10,385
Calls today:	2
Files:	14,057
Messages:	6,416,500