Skip Menu |
 

From: ghudson@mit.edu
Subject: SVN Commit

In 1.7, krb5_get_init_creds will continue attempting the same built-in
preauth mechanism (e.g. encrypted timestamp) until the loop counter
maxes out. Until the preauth framework can remember not to retry
built-in mechanisms, only continue with preauth after a PREAUTH_FAILED
error resulting from optimistic preauth.


https://github.com/krb5/krb5/commit/c4fcaab5e19afea97780be5eb169ff53a8a9a21e
Commit By: ghudson
Revision: 22890
Changed Files:
U trunk/src/lib/krb5/krb/get_in_tkt.c
Based on list conversations about the behavior of
krb5_get_init_creds_opt_set_pa, the attached patch should be used for
1.7.1 instead.
Download patch.txt
text/plain 546B
Index: get_in_tkt.c
===================================================================
--- get_in_tkt.c (revision 22396)
+++ get_in_tkt.c (working copy)
@@ -1331,8 +1331,7 @@
&out_padata, &retry);
if (ret !=0)
goto cleanup;
- if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED ||err_reply->error == KDC_ERR_PREAUTH_FAILED)
-&& retry) {
+ if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && retry) {
/* reset the list of preauth types to try */
if (preauth_to_use) {
krb5_free_pa_data(context, preauth_to_use);
From: tlyu@mit.edu
Subject: SVN Commit

backport r22890 from trunk

------------------------------------------------------------------------
r22890 | ghudson | 2009-10-13 15:43:17 -0400 (Tue, 13 Oct 2009) | 11 lines

ticket: 6573
subject: Fix preauth looping in krb5_get_init_creds
tags: pullup
target_version: 1.7.1

In 1.7, krb5_get_init_creds will continue attempting the same built-in
preauth mechanism (e.g. encrypted timestamp) until the loop counter
maxes out. Until the preauth framework can remember not to retry
built-in mechanisms, only continue with preauth after a PREAUTH_FAILED
error resulting from optimistic preauth.

https://github.com/krb5/krb5/commit/d5e2d1224596ce578093e037f54149ddb922bf10
Commit By: tlyu
Revision: 23640
Changed Files:
U branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c