GSSAPI Kerberos mechanism
Richard Sharpe
rsharpe at ns.aus.com
Fri Sep 6 05:41:00 GMT 2002
On Fri, 6 Sep 2002, Luke Howard wrote:
>
> >I think that this document is close to defining the format of KRB5
> >requests in GSSAPI/SPNEGO
OK, that is the definition we are seeing. Thanks for that.
I have committed patches to Ethereal to dissect that, and I now need to
fix the kerberos 5 dissector so that the AP-REQ, AP-REP and KRB-ERROR can
be dissected separately from the whole of Kerberos itself.
> Alternatively, see "The Kerberos Version 5 GSS-API Mechanism",
> RFC 1964. There may be a WG update somewhere...
>
> -- Luke
>
> 1.1. Context Establishment Tokens
>
> Per RFC-1508, Appendix B, the initial context establishment token
> will be enclosed within framing as follows:
>
> InitialContextToken ::=
> [APPLICATION 0] IMPLICIT SEQUENCE {
> thisMech MechType
> -- MechType is OBJECT IDENTIFIER
> -- representing "Kerberos V5"
> innerContextToken ANY DEFINED BY thisMech
> -- contents mechanism-specific;
> -- ASN.1 usage within innerContextToken
> -- is not required
> }
>
> The innerContextToken of the initial context token will consist of a
> Kerberos V5 KRB_AP_REQ message, preceded by a two-byte token-id
> (TOK_ID) field, which shall contain the value 01 00.
>
> The above GSS-API framing shall be applied to all tokens emitted by
> the Kerberos V5 GSS-API mechanism, including KRB_AP_REP, KRB_ERROR,
> context-deletion, and per-message tokens, not just to the initial
> token in a context establishment sequence. While not required by
> RFC-1508, this enables implementations to perform enhanced error-
> checking. The innerContextToken field of context establishment tokens
> for the Kerberos V5 GSS-API mechanism will contain a Kerberos message
> (KRB_AP_REQ, KRB_AP_REP or KRB_ERROR), preceded by a 2-byte TOK_ID
> field containing 01 00 for KRB_AP_REQ messages, 02 00 for KRB_AP_REP
> messages and 03 00 for KRB_ERROR messages.
>
> --
> Luke Howard | lukehoward.com
> PADL Software | www.padl.com
>
--
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org,
sharpe at ethereal.com
More information about the samba-technical
mailing list