| From: | ghudson@mit.edu |
| Subject: | requires_hwauth can cause a preauth loop with PKINIT |
| Date: | Wed, 19 Jan 2022 11:19:33 -0500 |
| To: | rt@kerborg-prod-app-1.mit.edu |
If an admin sets requires_hwauth on a principal and configures PKINIT but not a certauth module to set the hw-authent ticket flag, this happens during an AS request:
1. The client sends an unauthenticated request.
2. The KDC responds with PREAUTH_REQUIRED and a hint list offering PKINIT.
3. The client sends a PKINIT-authenticated request.
4. The KDC validates the PKINIT padata, but determines that the preauth requirements are not met, so reponds again with PREAUTH_REQUIRED and the same hint list.
and we repeat again from step 2 until the loop count is detected. This is similar to issue 7672, but there the problem is a useless hint list. Issue 8879 (certauth) is related because it allows PKINIT to be offered for requires_hwauth client principals.
The KDC should probably recognize this situation at step 4 (specifically, that pre-authent is set but not hw-authent), log a specific message about insufficient preauth, and respond with PREAUTH_FAILED instead of PREAUTH_REQUIRED.
1. The client sends an unauthenticated request.
2. The KDC responds with PREAUTH_REQUIRED and a hint list offering PKINIT.
3. The client sends a PKINIT-authenticated request.
4. The KDC validates the PKINIT padata, but determines that the preauth requirements are not met, so reponds again with PREAUTH_REQUIRED and the same hint list.
and we repeat again from step 2 until the loop count is detected. This is similar to issue 7672, but there the problem is a useless hint list. Issue 8879 (certauth) is related because it allows PKINIT to be offered for requires_hwauth client principals.
The KDC should probably recognize this situation at step 4 (specifically, that pre-authent is set but not hw-authent), log a specific message about insufficient preauth, and respond with PREAUTH_FAILED instead of PREAUTH_REQUIRED.