Skip Menu |

Subject: requires_hwauth can cause a preauth loop with PKINIT
Date: Wed, 19 Jan 2022 11:19:33 -0500
If an admin sets requires_hwauth on a principal and configures PKINIT but not a certauth module to set the hw-authent ticket flag, this happens during an AS request:

1. The client sends an unauthenticated request.
2. The KDC responds with PREAUTH_REQUIRED and a hint list offering PKINIT.
3. The client sends a PKINIT-authenticated request.
4. The KDC validates the PKINIT padata, but determines that the preauth requirements are not met, so reponds again with PREAUTH_REQUIRED and the same hint list.

and we repeat again from step 2 until the loop count is detected.  This is similar to issue 7672, but there the problem is a useless hint list.  Issue 8879 (certauth) is related because it allows PKINIT to be offered for requires_hwauth client principals.

The KDC should probably recognize this situation at step 4 (specifically, that pre-authent is set but not hw-authent), log a specific message about insufficient preauth, and respond with PREAUTH_FAILED instead of PREAUTH_REQUIRED.