Skip Menu |

Subject: Preauth tryagain should copy KDC cookie
RFC 6113 requires that "The client MUST copy the exact cookie
encapsulated in a PA-FX-COOKIE data element into the next message of the
same conversation." When we try again after a mechanism-specific error
(which in practice means a PKINIT error), we do not copy the KDC cookie.
We should fix this for better performance, but we do not need to
backport the fix as PKINIT does not require the use of cookies.
Subject: git commit

Echo KDC cookies in preauth tryagain

When trying again after a mechanism-specific error, we should send the
KDC cookie for conformance with RFC 6113.
Author: Greg Hudson <>
Commit: 25f12e90d98b677d0a72893b3c6eb859377aee68
Branch: master
src/lib/krb5/krb/preauth2.c | 8 +++++++-
src/tests/ | 6 ++++--
2 files changed, 11 insertions(+), 3 deletions(-)