[krbdev.mit.edu #8629] etype-info not included in hint list for REQUIRES_HW_AUTH principals
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Thu Dec 21 13:17:04 EST 2017
When constructing the preauth hint list, hint_list_next() discards
preauth system entries which don't have PA_HARDWARE set if the client
principal has the KRB5_KDB_REQUIRES_HW_AUTH bit set. A similar
decision applies all the way back to the 1.0 release. The intent is
not to offer preauth mechs like encrypted timestamp which won't satisfy
the requirement for hardware preauth.
We use static preauth system entries to add etype-info or etype-info2
entries to the hint list. These entries do not have the PA_HARDWARE
flag set (unlike the entry for KRB5_PADATA_FX_FAST), so we do not
include etype-info in the hint list for principals which require
hardware auth. The practical upshot is that SAM-2 preauth probably
won't work for principals which don't use the default salt.
More information about the krb5-bugs
mailing list