Skip Menu |

Download (untitled) / with headers
text/plain 1.9KiB
From epeisach@MIT.EDU Wed Jan 1 23:19:39 1997
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU []) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id XAA26658 for <bugs@RT-11.MIT.EDU>; Wed, 1 Jan 1997 23:19:38 -0500
Received: from KANGAROO.MIT.EDU by MIT.EDU with SMTP
id AA25650; Wed, 1 Jan 97 23:19:38 EST
Received: by; (5.65/
id AA27710; Wed, 1 Jan 1997 23:19:37 -0500
Message-Id: <>
Date: Wed, 1 Jan 1997 23:19:37 -0500
From: epeisach@MIT.EDU
Reply-To: epeisach@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: V4 requests bypass preauth required in kdc
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 329
>Category: krb5-kdc
>Synopsis: V4 requests bypass preauth required in kdc
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: closed
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Wed Jan 01 23:20:00 EST 1997
>Last-Modified: Tue Sep 23 15:11:54 EDT 1997
>Originator: Ezra Peisach
Show quoted text
>Release: 1.0-development

System: OSF1 V3.2 214 alpha
Machine: alpha
Show quoted text
If you set the preauth required flag on a principal in the
database, you can still get a v4 request.

We need a cutoff switch configurable in the kdc.conf that tells
the kdc to do one of the following:
a) Ignore all v4 request all together (i.e. for security concerns)
b) Return an error for v4 requests on all principals. (i.e. be nice)
c) Preauth principals will not be returned - with error
d) All principals w/ and w/o preauth types are allowed.

Show quoted text

Show quoted text

I am working on code to do the above.
Show quoted text

State-Changed-From-To: open-closed
State-Changed-By: epeisach
State-Changed-When: Tue Sep 23 15:11:21 1997
krb5-kdc/464 discusses the same problem.
The code is already checked in - modulo documentation. See 464 for more details.

Show quoted text
Download (untitled) / with headers
text/plain 36.6KiB

Message body is not shown because it is too large.