Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) From: ghudson@mit.edu Subject: git commit X-RT-Original-Encoding: iso-8859-1 Content-Length: 1441 Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED Add support for multi-hop preauth mechs. In the KDC, allow kdcpreauth modules to return KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined in RFC 6113. In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth modules can use the modreq parameter to distinguish between the first and subsequent KDC messages. We assume that the error padata will include an element of the preauth mech's type, or at least of a type recognized by the clpreauth module. Also reset the list of previously attempted preauth types for both kinds of errors. That list is really only appropriate for retrying after a failed preauth attempt, which we don't currently do. Add an intermediate variable for the reply code to avoid a long conditional expression. [ghudson@mit.edu: adjust get_in_tkt.c logic to avoid needing a helper function; clarify commit message] https://github.com/krb5/krb5/commit/95c3cab051aa1b8b4f7eb309bf135e8f51665baa Author: Nathaniel McCallum Committer: Greg Hudson Commit: 95c3cab051aa1b8b4f7eb309bf135e8f51665baa Branch: master doc/plugindev/clpreauth.rst | 6 +++--- src/include/k5-int.h | 1 + src/kdc/kdc_preauth.c | 2 ++ src/lib/krb5/error_tables/krb5_err.et | 2 +- src/lib/krb5/krb/get_in_tkt.c | 13 ++++++++----- 5 files changed, 15 insertions(+), 9 deletions(-)