refactor(sspi): Kerberos client implementation #435
Conversation
…ctors into the one file;
…, and change_password functions into separate modules;
| // Renewable, Canonicalize, Enc-tkt-in-skey are on by default | ||
| // Renewable, Canonicalize. | ||
| // https://www.rfc-editor.org/rfc/rfc4120#section-5.4.1 | ||
| const DEFAULT_TGS_REQ_OPTIONS: [u8; 4] = [0x00, 0x81, 0x00, 0x08]; | ||
| const DEFAULT_TGS_REQ_OPTIONS: [u8; 4] = [0x00, 0x81, 0x00, 0x00]; |
There was a problem hiding this comment.
I found a mistake here after writing new tests. We don't need to set the enc-tkt-in-skey flag by default. It should be set only when the Kerberos U2U is negotiated
|
@CBenoit the PR is ready for review :) |
src/kerberos/client/mod.rs
Outdated
|
|
||
| let as_rep = as_exchange(client, yield_point, &kdc_req_body, pa_data_options).await?; | ||
|
|
||
| info!("AS exchange finished successfully."); |
There was a problem hiding this comment.
issue: Please avoid using INFO-level logs in libraries, as it tends to pollute usual logs of applications such as IronRDP and Devolutions Gateway. Let’s use DEBUG and TRACE only in the libraries. Feel free to use INFO in the binaries such as the ffi crate and other examples.
There was a problem hiding this comment.
fair enough!
done
src/kerberos/server/mod.rs
Outdated
There was a problem hiding this comment.
nitpick: Appears to be an empty file now
There was a problem hiding this comment.
yep, I know about it. The next PRs contain server-side Kerberos implementation. I decided to keep this file because I need it anyway
Hi,
I refactored the Kerberos client implementation and added new test to check the Kerberos U2U negotiation.