svn rev #22292: trunk/src/kdc/
hartmans@MIT.EDU
hartmans at MIT.EDU
Wed Apr 29 20:38:49 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22292
Commit By: hartmans
Log Message:
ticket: 6480
Subject: Do not return PREAUTH_FAILED on unknown preauth
Target_Version: 1.7
Tags: pullup
If the KDC receives unknown pre-authentication data then ignore it.
Do not get into a case where PREAUTH_FAILED is returned because of
unknown pre-authentication. The main AS loop will cause
PREAUTH_REQUIRED to be returned if the preauth_required flag is set
and no valid preauth is found.
Changed Files:
U trunk/src/kdc/kdc_preauth.c
Modified: trunk/src/kdc/kdc_preauth.c
===================================================================
--- trunk/src/kdc/kdc_preauth.c 2009-04-29 23:21:21 UTC (rev 22291)
+++ trunk/src/kdc/kdc_preauth.c 2009-04-30 00:38:48 UTC (rev 22292)
@@ -1204,17 +1204,11 @@
if (pa_ok)
return 0;
- /* pa system was not found, but principal doesn't require preauth */
- if (!pa_found &&
- !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
- !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
+ /* pa system was not found; we may return PREAUTH_REQUIRED later,
+ but we did not actually fail to verify the pre-auth. */
+ if (!pa_found)
return 0;
- if (!pa_found) {
- emsg = krb5_get_error_message(context, retval);
- krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", emsg);
- krb5_free_error_message(context, emsg);
- }
/* The following switch statement allows us
* to return some preauth system errors back to the client.
More information about the cvs-krb5
mailing list