Skip Menu |

Download (untitled) / with headers
text/plain 2.7KiB
From Thu Oct 29 19:26:52 1998
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU []) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA17464 for <bugs@RT-11.MIT.EDU>; Thu, 29 Oct 1998 19:26:46 -0500
Received: from by MIT.EDU with SMTP
id AA16363; Thu, 29 Oct 98 19:26:51 EST
Received: (from fcusack@localhost)
by (8.9.1/8.9.1) id TAA20474;
Thu, 29 Oct 1998 19:27:14 -0500 (EST)
Message-Id: <>
Date: Thu, 29 Oct 1998 19:27:14 -0500 (EST)
To: krb5-bugs@MIT.EDU
Subject: preauth shouldn't fail if client doesn't need it
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 652
>Category: krb5-kdc
>Synopsis: preauth shouldn't fail if client doesn't need it
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Oct 29 19:27:01 EST 1998
>Last-Modified: Sun Feb 6 23:23:44 EST 2000
>Originator: Frank Cusack
Icon CMT Corp.
Show quoted text
>Release: krb5-current-19981012
System: SunOS ratbert 5.6 Generic_105181-09 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4

Show quoted text
If preauth fails because the preauth data from the
client was of an unknown type, and the principal does not
require preauth, then the preauth should be disregarded.
The RFC specifically says this for PA-ENC-TIMESTAMP.
However, the KDC will generate an error if the type is
unknown. (If a known preauth is presented, and fails,
an error should still be generated, regardless of
whether or not the principal requires preauth.)
Show quoted text
Create a principal that does not require preauth.
Use Cybersafe client to generate a TGT request. Choose
"no preauth". Cybersafe will include pa data of type
237 (disregard the fact that they shouldn't do that).
This will generate a preauth error.
Show quoted text
diff -u -r1.8 kdc_preauth.c
--- kdc_preauth.c 1998/10/21 19:09:18 1.8
+++ kdc_preauth.c 1998/10/30 00:24:57
@@ -280,6 +280,13 @@
if (pa_ok)
return 0;
+ /* pa system was not found, but principal doesn't require preauth */
+ if (!pa_found &&
+ !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
+ !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
+ return 0;
if (!pa_found)
com_err("krb5kdc", retval, "no valid preauth type found");

Show quoted text

State-Changed-From-To: open-closed
State-Changed-By: raeburn
State-Changed-When: Sun Feb 6 23:22:52 2000

Ted checked in the patch over a year ago.

Show quoted text