Skip Menu |
 

Download (untitled) / with headers
text/plain 2.7KiB
From fcusack@ratbert.iconnet.net Thu Oct 29 19:26:52 1998
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA17464 for <bugs@RT-11.MIT.EDU>; Thu, 29 Oct 1998 19:26:46 -0500
Received: from ratbert.iconnet.net by MIT.EDU with SMTP
id AA16363; Thu, 29 Oct 98 19:26:51 EST
Received: (from fcusack@localhost)
by ratbert.iconnet.net (8.9.1/8.9.1) id TAA20474;
Thu, 29 Oct 1998 19:27:14 -0500 (EST)
Message-Id: <199810300027.TAA20474@ratbert.iconnet.net>
Date: Thu, 29 Oct 1998 19:27:14 -0500 (EST)
From: fcusack@iconnet.net
Reply-To: fcusack@iconnet.net
To: krb5-bugs@MIT.EDU
Subject: preauth shouldn't fail if client doesn't need it
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 652
>Category: krb5-kdc
>Synopsis: preauth shouldn't fail if client doesn't need it
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Oct 29 19:27:01 EST 1998
>Last-Modified: Sun Feb 6 23:23:44 EST 2000
>Originator: Frank Cusack
>Organization:
Icon CMT Corp.
Show quoted text
>Release: krb5-current-19981012
>Environment:
N/A
System: SunOS ratbert 5.6 Generic_105181-09 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4

Show quoted text
>Description:
If preauth fails because the preauth data from the
client was of an unknown type, and the principal does not
require preauth, then the preauth should be disregarded.
The RFC specifically says this for PA-ENC-TIMESTAMP.
However, the KDC will generate an error if the type is
unknown. (If a known preauth is presented, and fails,
an error should still be generated, regardless of
whether or not the principal requires preauth.)
Show quoted text
>How-To-Repeat:
Create a principal that does not require preauth.
Use Cybersafe client to generate a TGT request. Choose
"no preauth". Cybersafe will include pa data of type
237 (disregard the fact that they shouldn't do that).
This will generate a preauth error.
Show quoted text
>Fix:
diff -u -r1.8 kdc_preauth.c
--- kdc_preauth.c 1998/10/21 19:09:18 1.8
+++ kdc_preauth.c 1998/10/30 00:24:57
@@ -280,6 +280,13 @@
}
if (pa_ok)
return 0;
+
+ /* pa system was not found, but principal doesn't require preauth */
+ if (!pa_found &&
+ !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
+ !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
+ return 0;
+
if (!pa_found)
com_err("krb5kdc", retval, "no valid preauth type found");
return KRB5KDC_ERR_PREAUTH_FAILED;

Show quoted text
>Audit-Trail:

State-Changed-From-To: open-closed
State-Changed-By: raeburn
State-Changed-When: Sun Feb 6 23:22:52 2000
State-Changed-Why:

Ted checked in the patch over a year ago.

Show quoted text
>Unformatted: