From krb5-bugs-incoming-bounces@PCH.mit.edu Wed Mar 18 18:26:57 2009
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
X-Original-To: krb5-send-pr-nospam1@krbdev.mit.edu
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id D3E3ECCC84;
Wed, 18 Mar 2009 18:26:57 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n2IIQvMw011599;
Wed, 18 Mar 2009 14:26:57 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n2IG9YeF021478
for <krb5-bugs-incoming@PCH.mit.edu>; Wed, 18 Mar 2009 12:09:34 -0400
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
n2IG9Q2p023353
for <krb5-bugs@mit.edu>; Wed, 18 Mar 2009 12:09:27 -0400 (EDT)
Received: from f04n07.cac.psu.edu (localhost [127.0.0.1])
by mit.edu (Spam Firewall) with ESMTP id 0568715DD970
for <krb5-bugs@mit.edu>; Wed, 18 Mar 2009 12:09:15 -0400 (EDT)
Received: from f04n07.cac.psu.edu (f04s07.cac.psu.edu [128.118.141.35]) by
mit.edu with ESMTP id TKHdns2yIPlCwa86 for <krb5-bugs@mit.edu>;
Wed, 18 Mar 2009 12:09:15 -0400 (EDT)
X-Barracuda-Reputation: Registry
Received: from smallbus.aset.psu.edu (smallbus.aset.psu.edu [128.118.57.250])
by f04n07.cac.psu.edu (8.13.2/8.13.2) with ESMTP id n2IG9Bu3045952
for <krb5-bugs@mit.edu>; Wed, 18 Mar 2009 12:09:12 -0400
Received: (from pgp@localhost)
by smallbus.aset.psu.edu (AIX5.3/8.13.4/8.11.0) id n2IG7gwA017670;
Wed, 18 Mar 2009 12:07:42 -0400
Date: Wed, 18 Mar 2009 12:07:42 -0400
Message-Id: <200903181607.n2IG7gwA017670@smallbus.aset.psu.edu>
To: krb5-bugs@mit.edu
Subject: KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
From: pgp@psu.edu
X-send-pr-version: 3.99
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Wed, 18 Mar 2009 14:26:56 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: pgp@psu.edu
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
System: AIX smallbus 3 5 000F48BD4C00
expiration and account expiration. In each case, the code (and
error return) for key expiration is done before the check for
account expiration. However, it seems that account expiration
is more significant than key expiration, and should be checked
for, and returned first.
Attempt to "kinit" to the account: KDC_ERR_KEY_EXP ("CLIENT KEY
EXPIRED") will be returned instead of KDC_ERR_NAME_EXP
("CLIENT EXPIRED").
them), move the check for KDC_ERR_NAME_EXP to be before the
check for KDC_ERR_KEY_EXP. A diff can be provided if that would
help to clarify the change.
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
X-Original-To: krb5-send-pr-nospam1@krbdev.mit.edu
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id D3E3ECCC84;
Wed, 18 Mar 2009 18:26:57 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n2IIQvMw011599;
Wed, 18 Mar 2009 14:26:57 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n2IG9YeF021478
for <krb5-bugs-incoming@PCH.mit.edu>; Wed, 18 Mar 2009 12:09:34 -0400
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
n2IG9Q2p023353
for <krb5-bugs@mit.edu>; Wed, 18 Mar 2009 12:09:27 -0400 (EDT)
Received: from f04n07.cac.psu.edu (localhost [127.0.0.1])
by mit.edu (Spam Firewall) with ESMTP id 0568715DD970
for <krb5-bugs@mit.edu>; Wed, 18 Mar 2009 12:09:15 -0400 (EDT)
Received: from f04n07.cac.psu.edu (f04s07.cac.psu.edu [128.118.141.35]) by
mit.edu with ESMTP id TKHdns2yIPlCwa86 for <krb5-bugs@mit.edu>;
Wed, 18 Mar 2009 12:09:15 -0400 (EDT)
X-Barracuda-Reputation: Registry
Received: from smallbus.aset.psu.edu (smallbus.aset.psu.edu [128.118.57.250])
by f04n07.cac.psu.edu (8.13.2/8.13.2) with ESMTP id n2IG9Bu3045952
for <krb5-bugs@mit.edu>; Wed, 18 Mar 2009 12:09:12 -0400
Received: (from pgp@localhost)
by smallbus.aset.psu.edu (AIX5.3/8.13.4/8.11.0) id n2IG7gwA017670;
Wed, 18 Mar 2009 12:07:42 -0400
Date: Wed, 18 Mar 2009 12:07:42 -0400
Message-Id: <200903181607.n2IG7gwA017670@smallbus.aset.psu.edu>
To: krb5-bugs@mit.edu
Subject: KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
From: pgp@psu.edu
X-send-pr-version: 3.99
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Wed, 18 Mar 2009 14:26:56 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: pgp@psu.edu
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
Show quoted text
>Submitter-Id: net
>Originator: Phil Pishioneri
>Organization: Penn State University, ITS
>Originator: Phil Pishioneri
>Organization: Penn State University, ITS
Show quoted text
>Confidential: no
>Synopsis: KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
>Severity: non-critical
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-current
>Environment:
>Synopsis: KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
>Severity: non-critical
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-current
>Environment:
System: AIX smallbus 3 5 000F48BD4C00
Show quoted text
>Description:
In kdc/kdc_util.c, there are two checks for password (key)expiration and account expiration. In each case, the code (and
error return) for key expiration is done before the check for
account expiration. However, it seems that account expiration
is more significant than key expiration, and should be checked
for, and returned first.
Show quoted text
>How-To-Repeat:
Create an account, expire both the password and account.Attempt to "kinit" to the account: KDC_ERR_KEY_EXP ("CLIENT KEY
EXPIRED") will be returned instead of KDC_ERR_NAME_EXP
("CLIENT EXPIRED").
Show quoted text
>Fix:
In the two areas of code (search for "KDC_ERR_NAME_EXP" to findthem), move the check for KDC_ERR_NAME_EXP to be before the
check for KDC_ERR_KEY_EXP. A diff can be provided if that would
help to clarify the change.