GSSAPI Kerberos mechanism

Richard Sharpe rsharpe at ns.aus.com
Fri Sep 6 05:41:00 GMT 2002 

On Fri, 6 Sep 2002, Luke Howard wrote:

> 
> >I think that this document is close to defining the format of KRB5 
> >requests in GSSAPI/SPNEGO

OK, that is the definition we are seeing. Thanks for that.

I have committed patches to Ethereal to dissect that, and I now need to 
fix the kerberos 5 dissector so that the AP-REQ, AP-REP and KRB-ERROR can 
be dissected separately from the whole of Kerberos itself.
 
> Alternatively, see "The Kerberos Version 5 GSS-API Mechanism", 
> RFC 1964. There may be a WG update somewhere...
> 
> -- Luke
> 
> 1.1. Context Establishment Tokens
> 
>    Per RFC-1508, Appendix B, the initial context establishment token
>    will be enclosed within framing as follows:
> 
>    InitialContextToken ::=
>    [APPLICATION 0] IMPLICIT SEQUENCE {
>            thisMech        MechType 
>                    -- MechType is OBJECT IDENTIFIER
>                    -- representing "Kerberos V5"
>            innerContextToken ANY DEFINED BY thisMech
>                    -- contents mechanism-specific;
>                    -- ASN.1 usage within innerContextToken
>                    -- is not required
>            }
>    
>    The innerContextToken of the initial context token will consist of a
>    Kerberos V5 KRB_AP_REQ message, preceded by a two-byte token-id
>    (TOK_ID) field, which shall contain the value 01 00.
>            
>    The above GSS-API framing shall be applied to all tokens emitted by
>    the Kerberos V5 GSS-API mechanism, including KRB_AP_REP, KRB_ERROR,
>    context-deletion, and per-message tokens, not just to the initial
>    token in a context establishment sequence.  While not required by
>    RFC-1508, this enables implementations to perform enhanced error-
>    checking. The innerContextToken field of context establishment tokens
>    for the Kerberos V5 GSS-API mechanism will contain a Kerberos message
>    (KRB_AP_REQ, KRB_AP_REP or KRB_ERROR), preceded by a 2-byte TOK_ID
>    field containing 01 00 for KRB_AP_REQ messages, 02 00 for KRB_AP_REP
>    messages and 03 00 for KRB_ERROR messages.
> 
> --
> Luke Howard | lukehoward.com
> PADL Software | www.padl.com
> 

-- 
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com

More information about the samba-technical mailing list