[krbdev.mit.edu #8063] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Jan 28 17:37:25 EST 2015
Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
Add support for multi-hop preauth mechs.
In the KDC, allow kdcpreauth modules to return
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined in RFC 6113.
In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth
modules can use the modreq parameter to distinguish between the first
and subsequent KDC messages. We assume that the error padata will
include an element of the preauth mech's type, or at least of a type
recognized by the clpreauth module.
Also reset the list of previously attempted preauth types for both
kinds of errors. That list is really only appropriate for retrying
after a failed preauth attempt, which we don't currently do. Add an
intermediate variable for the reply code to avoid a long conditional
expression.
[ghudson at mit.edu: adjust get_in_tkt.c logic to avoid needing a helper
function; clarify commit message]
https://github.com/krb5/krb5/commit/95c3cab051aa1b8b4f7eb309bf135e8f51665baa
Author: Nathaniel McCallum <npmccallum at redhat.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: 95c3cab051aa1b8b4f7eb309bf135e8f51665baa
Branch: master
doc/plugindev/clpreauth.rst | 6 +++---
src/include/k5-int.h | 1 +
src/kdc/kdc_preauth.c | 2 ++
src/lib/krb5/error_tables/krb5_err.et | 2 +-
src/lib/krb5/krb/get_in_tkt.c | 13 ++++++++-----
5 files changed, 15 insertions(+), 9 deletions(-)
More information about the krb5-bugs
mailing list