From epeisach@MIT.EDU Wed Jan 1 23:19:39 1997
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id XAA26658 for <bugs@RT-11.MIT.EDU>; Wed, 1 Jan 1997 23:19:38 -0500
Received: from KANGAROO.MIT.EDU by MIT.EDU with SMTP
id AA25650; Wed, 1 Jan 97 23:19:38 EST
Received: by kangaroo.mit.edu; (5.65/1.1.8.2/08Mar96-0212PM)
id AA27710; Wed, 1 Jan 1997 23:19:37 -0500
Message-Id: <9701020419.AA27710@kangaroo.mit.edu>
Date: Wed, 1 Jan 1997 23:19:37 -0500
From: epeisach@MIT.EDU
Reply-To: epeisach@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: V4 requests bypass preauth required in kdc
X-Send-Pr-Version: 3.99
System: OSF1 kangaroo.mit.edu V3.2 214 alpha
Machine: alpha
database, you can still get a v4 request.
We need a cutoff switch configurable in the kdc.conf that tells
the kdc to do one of the following:
a) Ignore all v4 request all together (i.e. for security concerns)
b) Return an error for v4 requests on all principals. (i.e. be nice)
c) Preauth principals will not be returned - with error
d) All principals w/ and w/o preauth types are allowed.
I am working on code to do the above.
ezra
State-Changed-From-To: open-closed
State-Changed-By: epeisach
State-Changed-When: Tue Sep 23 15:11:21 1997
State-Changed-Why:
krb5-kdc/464 discusses the same problem.
The code is already checked in - modulo documentation. See 464 for more details.
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id XAA26658 for <bugs@RT-11.MIT.EDU>; Wed, 1 Jan 1997 23:19:38 -0500
Received: from KANGAROO.MIT.EDU by MIT.EDU with SMTP
id AA25650; Wed, 1 Jan 97 23:19:38 EST
Received: by kangaroo.mit.edu; (5.65/1.1.8.2/08Mar96-0212PM)
id AA27710; Wed, 1 Jan 1997 23:19:37 -0500
Message-Id: <9701020419.AA27710@kangaroo.mit.edu>
Date: Wed, 1 Jan 1997 23:19:37 -0500
From: epeisach@MIT.EDU
Reply-To: epeisach@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: V4 requests bypass preauth required in kdc
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 329
>Category: krb5-kdc
>Synopsis: V4 requests bypass preauth required in kdc
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: closed
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Wed Jan 01 23:20:00 EST 1997
>Last-Modified: Tue Sep 23 15:11:54 EDT 1997
>Originator: Ezra Peisach
>Organization:
mit>Category: krb5-kdc
>Synopsis: V4 requests bypass preauth required in kdc
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: closed
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Wed Jan 01 23:20:00 EST 1997
>Last-Modified: Tue Sep 23 15:11:54 EDT 1997
>Originator: Ezra Peisach
>Organization:
Show quoted text
>Release: 1.0-development
>Environment:
>Environment:
System: OSF1 kangaroo.mit.edu V3.2 214 alpha
Machine: alpha
Show quoted text
>Description:
If you set the preauth required flag on a principal in thedatabase, you can still get a v4 request.
We need a cutoff switch configurable in the kdc.conf that tells
the kdc to do one of the following:
a) Ignore all v4 request all together (i.e. for security concerns)
b) Return an error for v4 requests on all principals. (i.e. be nice)
c) Preauth principals will not be returned - with error
d) All principals w/ and w/o preauth types are allowed.
Show quoted text
>How-To-Repeat:
Show quoted text
>Fix:
I am working on code to do the above.
ezra
Show quoted text
>Audit-Trail:
State-Changed-From-To: open-closed
State-Changed-By: epeisach
State-Changed-When: Tue Sep 23 15:11:21 1997
State-Changed-Why:
krb5-kdc/464 discusses the same problem.
The code is already checked in - modulo documentation. See 464 for more details.
Show quoted text
>Unformatted: