Skip Menu |
 

From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.4KiB

Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED

Add support for multi-hop preauth mechs.

In the KDC, allow kdcpreauth modules to return
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined in RFC 6113.

In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth
modules can use the modreq parameter to distinguish between the first
and subsequent KDC messages. We assume that the error padata will
include an element of the preauth mech's type, or at least of a type
recognized by the clpreauth module.

Also reset the list of previously attempted preauth types for both
kinds of errors. That list is really only appropriate for retrying
after a failed preauth attempt, which we don't currently do. Add an
intermediate variable for the reply code to avoid a long conditional
expression.

[ghudson@mit.edu: adjust get_in_tkt.c logic to avoid needing a helper
function; clarify commit message]

https://github.com/krb5/krb5/commit/95c3cab051aa1b8b4f7eb309bf135e8f51665baa
Author: Nathaniel McCallum <npmccallum@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 95c3cab051aa1b8b4f7eb309bf135e8f51665baa
Branch: master
doc/plugindev/clpreauth.rst | 6 +++---
src/include/k5-int.h | 1 +
src/kdc/kdc_preauth.c | 2 ++
src/lib/krb5/error_tables/krb5_err.et | 2 +-
src/lib/krb5/krb/get_in_tkt.c | 13 ++++++++-----
5 files changed, 15 insertions(+), 9 deletions(-)