Ticket History #6788: document preferred_preauth

# Tue Sep 28 08:50:01 2010 hartmans (Sam Hartman) - Ticket created

From:	Sam Hartman <hartmans@MIT.EDU>
To:	Nicolas Williams <Nicolas.Williams@oracle.com>, krb5-bugs@MIT.EDU
Subject:	document preferred_preauth_types
Date:	Tue, 28 Sep 2010 08:49:49 -0400
CC:	Russ Allbery <rra@stanford.edu>

Download (untitled) / with headers
text/plain 432B

In a discussion on krbdev, Nico told Russ that krb5.conf could force
preauth.
Russ said he was unaware of that option; Nico thought he must have been
mistaken.
However, Quoting get_in_tkt.c:

ret = krb5int_libdefault_string(context, realm,
KRB5_CONF_PREFERRED_PREAUTH\
_TYPES,
&preauth_types);

This option should be documented.

--Sam

# Tue Sep 28 13:14:25 2010 Nicolas Williams <Nicolas.Williams@oracle.com> - Ticket #6789: - Ticket created

Date:	Tue, 28 Sep 2010 09:56:00 -0500
From:	Nicolas Williams <Nicolas.Williams@oracle.com>
To:	Sam Hartman <hartmans@MIT.EDU>
Subject:	Re: document preferred_preauth_types
CC:	Russ Allbery <rra@stanford.edu>, krb5-bugs@MIT.EDU

Download (untitled) / with headers
text/plain 585B

On Tue, Sep 28, 2010 at 08:49:49AM -0400, Sam Hartman wrote:

Show quoted text

> In a discussion on krbdev, Nico told Russ that krb5.conf could force
> preauth.
> Russ said he was unaware of that option; Nico thought he must have been
> mistaken.
> However, Quoting get_in_tkt.c:
>
> ret = krb5int_libdefault_string(context, realm,
> KRB5_CONF_PREFERRED_PREAUTH\
> _TYPES,
> &preauth_types);

Reading the code I got the impression that this ony works when the KDC
requires pre-auth.

Show quoted text

> This option should be documented.

It should be, yes.

Nico
--

# Tue Sep 28 14:29:18 2010 ghudson@mit.edu (Greg Hudson) - Ticket #6789: - Ticket 6789 MergedInto ticket 6788.

# Tue Feb 22 15:14:39 2011 tlyu (Taylor Yu) - Correspondence added

To:	rt@krbdev.MIT.EDU
Subject:	Re: [krbdev.mit.edu #6788] document preferred_preauth_types
From:	Tom Yu <tlyu@MIT.EDU>
Date:	Tue, 22 Feb 2011 15:14:37 -0500
RT-Send-Cc:

Download (untitled) / with headers
text/plain 535B

"Sam Hartman via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text

> In a discussion on krbdev, Nico told Russ that krb5.conf could force
> preauth.
> Russ said he was unaware of that option; Nico thought he must have been
> mistaken.
> However, Quoting get_in_tkt.c:
>
> ret = krb5int_libdefault_string(context, realm,
> KRB5_CONF_PREFERRED_PREAUTH\
> _TYPES,
> &preauth_types);
>
>
>
> This option should be documented.

Do you have suggested text?

# Tue Feb 22 15:55:46 2011 ghudson@mit.edu (Greg Hudson) - Correspondence added

Download (untitled) / with headers
text/plain 316B

By my reading of the code, that variable doesn't do what Sam thinks it
does. It affects the sort order of the preauth list (and the default
value is what causes PKINIT to be used in preference to mechanisms which
would prompt for the password, like encrypted timestamp), but it doesn't
cause optimistic preauth.

Ticket History #6788: document preferred_preauth_types