Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 2020 From epeisach@MIT.EDU Wed Jan 1 23:19:39 1997 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id XAA26658 for ; Wed, 1 Jan 1997 23:19:38 -0500 Received: from KANGAROO.MIT.EDU by MIT.EDU with SMTP id AA25650; Wed, 1 Jan 97 23:19:38 EST Received: by kangaroo.mit.edu; (5.65/1.1.8.2/08Mar96-0212PM) id AA27710; Wed, 1 Jan 1997 23:19:37 -0500 Message-Id: <9701020419.AA27710@kangaroo.mit.edu> Date: Wed, 1 Jan 1997 23:19:37 -0500 From: epeisach@MIT.EDU Reply-To: epeisach@MIT.EDU To: krb5-bugs@MIT.EDU Subject: V4 requests bypass preauth required in kdc X-Send-Pr-Version: 3.99 >Number: 329 >Category: krb5-kdc >Synopsis: V4 requests bypass preauth required in kdc >Confidential: no >Severity: serious >Priority: medium >Responsible: krb5-unassigned >State: closed >Class: change-request >Submitter-Id: unknown >Arrival-Date: Wed Jan 01 23:20:00 EST 1997 >Last-Modified: Tue Sep 23 15:11:54 EDT 1997 >Originator: Ezra Peisach >Organization: mit >Release: 1.0-development >Environment: System: OSF1 kangaroo.mit.edu V3.2 214 alpha Machine: alpha >Description: If you set the preauth required flag on a principal in the database, you can still get a v4 request. We need a cutoff switch configurable in the kdc.conf that tells the kdc to do one of the following: a) Ignore all v4 request all together (i.e. for security concerns) b) Return an error for v4 requests on all principals. (i.e. be nice) c) Preauth principals will not be returned - with error d) All principals w/ and w/o preauth types are allowed. >How-To-Repeat: >Fix: I am working on code to do the above. ezra >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: epeisach State-Changed-When: Tue Sep 23 15:11:21 1997 State-Changed-Why: krb5-kdc/464 discusses the same problem. The code is already checked in - modulo documentation. See 464 for more details. >Unformatted: