krb5 commit: Allow multi-hop SAM-2 exchanges
Greg Hudson
ghudson at MIT.EDU
Tue Feb 19 12:12:52 EST 2013
https://github.com/krb5/krb5/commit/f20a77e879d203cdcb1bdbf9dc8e604a5187c88f
commit f20a77e879d203cdcb1bdbf9dc8e604a5187c88f
Author: Greg Hudson <ghudson at mit.edu>
Date: Sun Feb 17 12:44:45 2013 -0500
Allow multi-hop SAM-2 exchanges
Prior to 1.11, it was possible to do SAM-2 preauth exchanges with
multiple hops by sending repeated preauth-required errors with
different challenges (which is not the way multi-hop exchanges are
described in RFC 6113, but it can still work). This stopped working
when SAM-2 was converted to a built-in module. Make it work again.
ticket: 7571 (new)
target_version: 1.11.1
tags: pullup
src/lib/krb5/krb/preauth2.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 74a4f27..7252048 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -570,6 +570,11 @@ already_tried(krb5_context context, krb5_preauthtype pa_type)
size_t count;
krb5_preauthtype *newptr;
+ /* Allow multi-hop SAM-2 exchanges using repeated preauth-required errors
+ * for historical compatibility. */
+ if (pa_type == KRB5_PADATA_SAM_CHALLENGE_2)
+ return FALSE;
+
for (count = 0; pctx->tried != NULL && pctx->tried[count] != 0; count++) {
if (pctx->tried[count] == pa_type)
return TRUE;
More information about the cvs-krb5
mailing list