[linux-cifs-client] Kerberos5 support in cifs pathset [PATCH: 4/4] userspace utility for creating security blob and getting session key

[Jeff Layton]

On Fri, 26 Oct 2007 14:04:30 +0400
"Q (Igor Mammedov)" <qwerty0987654321 at mail.ru> wrote:

> simo wrote:
> > Have you already thought how to find the right credentials here ?
> 
> It takes first TGT from default kerberos cache file. We don't have 
> direct means to select what TGT to use for TGS, I could suggest that
> we can use UID of the user calling 'mount' utility, to decide whose
> krb5 cache to use (assuming that the most users have only one TGT).
> For hands off cache initialization we could use keytab files.The
> proper place for this could be in mount.cifs. For example we specify
> sec='krb5' and credentials option with keytab file or user/password
> and mount.cifs utility initializes cache with TGT.
> 
> Recently I've played with mounting using krb5 auth as ordinary user
> and have patch to cifs_spnego.c/and mine kernel patch that allows to
> use right cache depending on the calling user.
> 
> > Do you know if the sesskey is always guaranteed to be a fixed
> > length ?
> 
> There is no guaranties that sesskey length be fixed in the future. 
> However,  preliminary reading on this topic reveals that often used 
> ciphers are DES/RC4-HMAC (MS-Preferred)/3DES/AES and maximum key
> length of them is for AES 256bits.
> 

mac_key.data.ntlm is CIFS_SESS_KEY_SIZE+16. CIFS_SESS_KEY_SIZE is 24. So
that gives us 40 bytes and should be enough to hold a 32 byte key. We
might still want to rename that member to eliminate confusion (or add a
new "krb5" member or something).

-- 
Jeff Layton <jlayton at redhat.com>