Hi list,
I recently pushed[0] some code for putting the nonce in the PA-FX-COOKIE
(to branch otp-wip of
git://git.nordu.net/krb-otp.git). It took some
changes to generic FAST code though. Please let me know if you think
this isn't a good way of solving it. For example, I can't really see
how this is supposed to work with authentications sets.
We'll definitely have to think more about how the nonce should be
constructed. As mentioned in kdc_preauth_get_cookie():
If cookies are used for real, versioning so that KDCs
can be upgraded, keying, expiration and many other issues need
to be considered.
[0]
http://git.nordu.net/?p=krb-otp.git;a=commit;h=c8ca1a83805ce967bcf251ff55...
Thanks,
Linus