On Sat, 2011-07-23 at 22:38 -0400, Chris Hecker wrote: > It looks like I should pass it since this if-statement exists, yes? I'm > still a security noob, but I'd assume it wouldn't be there if it wasn't > important?
For protocol conformance, you should probably set the flag. But I don't think anything will go wrong if you don't. The conditional you found will erroneously decide to initialize the local sequence number based on the remote one, but krb5_mk_rep() will overwrite that anyway. > Also, a related question, if you're using AP_OPTS_USE_SUBKEY, > sendauth primes the prng a bit more manually...should I do this in my > app? Ideally this should be unnecessary, as we can seed our PRNG from OS-level entropy. The caveat is that our Windows code for obtaining OS entropy doesn't appear to work on XP (it works on 7; I'm not sure about Vista), but I hope we can fix that. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos