[20413] in Kerberos_V5_Development
Re: Session Key through GSS-API
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Feb 28 17:40:44 2023
Message-ID: <3f7cff7f-9baf-3af0-f627-46fcfc59f310@mit.edu>
Date: Tue, 28 Feb 2023 17:39:30 -0500
MIME-Version: 1.0
Content-Language: en-US
To: Stephen Brown <Stephen.Brown@progress.com>,
"krbdev@mit.edu" <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <SN4PR13MB52798C23D6A56256C6D6CECC91AC9@SN4PR13MB5279.namprd13.prod.outlook.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: krbdev-bounces@mit.edu
On 2/28/23 12:37, Stephen Brown wrote:
> So, the application is an odbc driver which implements the oracle database wire-protocol (which unfortunately is not publicly documented). We have found that the session key is needed for cypher reinitialization at connect time when using kerberos authentication and "oracle advanced security" is enabled on the server. If we use the subkey the server is immediately killing the connection. But with the session key we're able to connect.
Thanks for the added context.
I don't think there is presently a GSS extension to get at the ticket
session key. Even gss_export_lucid_sec_context(), which probably
couldn't be used because it destroys the context, reports only the
sender and acceptor subkey. We could consider adding a minimal
interface along the lines of GSS_C_INQ_SSPI_SESSION_KEY.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
