Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
X-RT-Original-Encoding: iso-8859-1
Content-Length: 2804

From fcusack@ratbert.iconnet.net  Thu Oct 29 19:26:52 1998
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA17464 for <bugs@RT-11.MIT.EDU>; Thu, 29 Oct 1998 19:26:46 -0500
Received: from ratbert.iconnet.net by MIT.EDU with SMTP
	id AA16363; Thu, 29 Oct 98 19:26:51 EST
Received: (from fcusack@localhost)
	by ratbert.iconnet.net (8.9.1/8.9.1) id TAA20474;
	Thu, 29 Oct 1998 19:27:14 -0500 (EST)
Message-Id: <199810300027.TAA20474@ratbert.iconnet.net>
Date: Thu, 29 Oct 1998 19:27:14 -0500 (EST)
From: fcusack@iconnet.net
Reply-To: fcusack@iconnet.net
To: krb5-bugs@MIT.EDU
Subject: preauth shouldn't fail if client doesn't need it
X-Send-Pr-Version: 3.99

>Number:         652
>Category:       krb5-kdc
>Synopsis:       preauth shouldn't fail if client doesn't need it
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    krb5-unassigned
>State:          closed
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Thu Oct 29 19:27:01 EST 1998
>Last-Modified:  Sun Feb  6 23:23:44 EST 2000
>Originator:     Frank Cusack
>Organization:
Icon CMT Corp.
>Release:        krb5-current-19981012
>Environment:
N/A
System: SunOS ratbert 5.6 Generic_105181-09 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4

>Description:
	If preauth fails because the preauth data from the
	client was of an unknown type, and the principal does not
	require preauth, then the preauth should be disregarded.
	The RFC specifically says this for PA-ENC-TIMESTAMP.
	However, the KDC will generate an error if the type is
	unknown. (If a known preauth is presented, and fails,
	an error should still be generated, regardless of
	whether or not the principal requires preauth.)
>How-To-Repeat:
	Create a principal that does not require preauth.
	Use Cybersafe client to generate a TGT request. Choose
	"no preauth". Cybersafe will include pa data of type
	237 (disregard the fact that they shouldn't do that).
	This will generate a preauth error.
>Fix:
diff -u -r1.8 kdc_preauth.c
--- kdc_preauth.c       1998/10/21 19:09:18     1.8
+++ kdc_preauth.c       1998/10/30 00:24:57
@@ -280,6 +280,13 @@
     }
     if (pa_ok)
        return 0;
+
+    /* pa system was not found, but principal doesn't require preauth */
+    if (!pa_found &&
+        !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
+        !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
+       return 0;
+
     if (!pa_found)
        com_err("krb5kdc", retval, "no valid preauth type found");
     return KRB5KDC_ERR_PREAUTH_FAILED;

>Audit-Trail:

State-Changed-From-To: open-closed
State-Changed-By: raeburn
State-Changed-When: Sun Feb  6 23:22:52 2000
State-Changed-Why:

Ted checked in the patch over a year ago.

>Unformatted: