Skip Menu |

Subject: etype-info not included in hint list for REQUIRES_HW_AUTH principals
When constructing the preauth hint list, hint_list_next() discards
preauth system entries which don't have PA_HARDWARE set if the client
principal has the KRB5_KDB_REQUIRES_HW_AUTH bit set. A similar
decision applies all the way back to the 1.0 release. The intent is
not to offer preauth mechs like encrypted timestamp which won't satisfy
the requirement for hardware preauth.

We use static preauth system entries to add etype-info or etype-info2
entries to the hint list. These entries do not have the PA_HARDWARE
flag set (unlike the entry for KRB5_PADATA_FX_FAST), so we do not
include etype-info in the hint list for principals which require
hardware auth. The practical upshot is that SAM-2 preauth probably
won't work for principals which don't use the default salt.
Testing confirms that SAM-2 preauth (using the testing "grail" option)
does not currently work with a non-default salt.

If we add the PA_HARDWARE flag to the etype-info system entries, it
still doesn't work, because verify_grail_data() insists on a key with
the normal salt type. (verify_securid_data_2() does the same thing.)
But if that call to krb5_dbe_find_enctype() is changed to allow any
salt type, then it works.
Subject: git commit

Include etype-info in for hardware preauth hints

If a principal has the requires_hwauth bit set, include PA-ETYPE-INFO
or PA-ETYPE-INFO2 padata in the PREAUTH_REQUIRED error, as preauth
mechs involving hardware tokens may also use the principal's Kerberos
Author: Greg Hudson <>
Commit: ba92da05accc524b8037453b63ced1a6c65fd2a1
Branch: master
src/kdc/kdc_preauth.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
Subject: git commit

Fix securid_sam2 preauth for non-default salt

When looking up the client long-term key, look for any salt type, not
just the default salt type.
Author: Greg Hudson <>
Commit: a2339099ad13c84de0843fd04d0ba612fc194a1e
Branch: master
src/plugins/preauth/securid_sam2/grail.c | 3 +--
src/plugins/preauth/securid_sam2/securid2.c | 3 +--
2 files changed, 2 insertions(+), 4 deletions(-)