Received: from cathode-dark-space.mit.edu (daemon@CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) by krbdev.mit.edu (8.9.3p2) with ESMTP id UAA02615; Sun, 1 Feb 2004 20:04:31 -0500 (EST)
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9) id i1214V1Z002896; Sun, 1 Feb 2004 20:04:31 -0500 (EST)
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2110] MIT KDC fails to handle unknown padata
References: <rt-2110-9194.13.2471686506592@krbdev.mit.edu>
From: Tom Yu <tlyu@mit.edu>
Date: Sun, 01 Feb 2004 20:04:30 -0500
In-Reply-To: <rt-2110-9194.13.2471686506592@krbdev.mit.edu> (Sam Hartman via's message of "Fri, 9 Jan 2004 17:28:21 -0500 (EST)")
Message-Id: <ldv3c9uuw9t.fsf@cathode-dark-space.mit.edu>
Lines: 14
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
RT-Send-Cc: 
X-RT-Original-Encoding: us-ascii
Content-Length: 541

kdc_preauth.c on the 1.3 branch has the following, which should
prevent the problem.

    /* pa system was not found, but principal doesn't require preauth */
    if (!pa_found &&
        !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
        !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
       return 0;

The code has been there since 1999.  Is this a case of the request
containing preauth the that fails to verify, rather than being a case
of preauth being submitted that the KDC does not understand?

---Tom