Add support for multi-hop preauth mechs.
In the KDC, allow kdcpreauth modules to return
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined in RFC 6113.
In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth
modules can use the modreq parameter to distinguish between the first
and subsequent KDC messages. We assume that the error padata will
include an element of the preauth mech's type, or at least of a type
recognized by the clpreauth module.
Also reset the list of previously attempted preauth types for both
kinds of errors. That list is really only appropriate for retrying
after a failed preauth attempt, which we don't currently do. Add an
intermediate variable for the reply code to avoid a long conditional
[firstname.lastname@example.org: adjust get_in_tkt.c logic to avoid needing a helper
function; clarify commit message]
Author: Nathaniel McCallum <email@example.com>
Committer: Greg Hudson <firstname.lastname@example.org>
doc/plugindev/clpreauth.rst | 6 +++---
src/include/k5-int.h | 1 +
src/kdc/kdc_preauth.c | 2 ++
src/lib/krb5/error_tables/krb5_err.et | 2 +-
src/lib/krb5/krb/get_in_tkt.c | 13 ++++++++-----
5 files changed, 15 insertions(+), 9 deletions(-)