Skip Menu |
 

Date: Fri, 15 Jul 2016 21:01:44 +0200
From: Sumit Bose <sbose@redhat.com>
To: krb5-bugs@mit.edu
Subject: Missing responder if there is no pre-auth
Hi,

if there is no pre-authentication required for a user principal, e.g.
set with '-requires_preauth' in kadmin.local, the responder is not
called on the client only the prompter.

I would expect that if a password is needed at least a
KRB5_RESPONDER_QUESTION_PASSWORD responder question is requested before
the prompter is called.

Please let me know if I can provide any additional details or if this is
expected behavior.

bye,
Sumit
I think that's a bug (i.e. not expected behavior). I'll have to do some
analysis to figure out the best fix.
From: ghudson@mit.edu
Subject: git commit

Use responder for non-preauth AS requests

If no AS reply key is computed during pre-authentication (typically
because no pre-authentication was required by the KDC), ask for the
password using the responder before calling gak_fct for the key, and
supply any resulting responder items to gak_fct.

https://github.com/krb5/krb5/commit/0639adc91ae9f66496171d14a232eae3c02bda0d
Author: Greg Hudson <ghudson@mit.edu>
Commit: 0639adc91ae9f66496171d14a232eae3c02bda0d
Branch: master
src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++-
src/tests/t_general.py | 5 +++++
2 files changed, 28 insertions(+), 1 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Use responder for non-preauth AS requests

If no AS reply key is computed during pre-authentication (typically
because no pre-authentication was required by the KDC), ask for the
password using the responder before calling gak_fct for the key, and
supply any resulting responder items to gak_fct.

(cherry picked from commit 0639adc91ae9f66496171d14a232eae3c02bda0d)

https://github.com/krb5/krb5/commit/2346029cd546f5a597ffff0fdda8b389e3e7258a
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 2346029cd546f5a597ffff0fdda8b389e3e7258a
Branch: krb5-1.14
src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++-
src/tests/t_general.py | 5 +++++
2 files changed, 28 insertions(+), 1 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Use responder for non-preauth AS requests

If no AS reply key is computed during pre-authentication (typically
because no pre-authentication was required by the KDC), ask for the
password using the responder before calling gak_fct for the key, and
supply any resulting responder items to gak_fct.

(cherry picked from commit 0639adc91ae9f66496171d14a232eae3c02bda0d)

https://github.com/krb5/krb5/commit/af6f7168b1a13edfc8824e0d26741fec010e0657
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: af6f7168b1a13edfc8824e0d26741fec010e0657
Branch: krb5-1.13
src/lib/krb5/krb/get_in_tkt.c | 24 +++++++++++++++++++++++-
src/tests/t_general.py | 5 +++++
2 files changed, 28 insertions(+), 1 deletions(-)