Skip Menu |

Subject: git commit
Download (untitled) / with headers
text/plain 1.2KiB

Prevent requires_preauth bypass [CVE-2015-2694]

In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
the request is successfully verified. In the PKINIT kdcpreauth
module, don't respond with code 0 on empty input or an unconfigured
realm. Together these bugs could cause the KDC preauth framework to
erroneously treat a request as pre-authenticated.


In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal's long-term key. This ciphertext could be
used to conduct an off-line dictionary attack against the user's


(cherry picked from commit e3b5a5e5267818c97750b266df50b6a3d4649604)
(cherry picked from commit df8afc60d970a7176a55ffe7ce21cfd57ba423cd)
Author: Greg Hudson <>
Committer: Tom Yu <>
Commit: b0c571e709c72da799ccc15fb5755f7910170e33
Branch: krb5-1.12
src/plugins/preauth/otp/main.c | 10 +++++++---
src/plugins/preauth/pkinit/pkinit_srv.c | 4 ++--
2 files changed, 9 insertions(+), 5 deletions(-)