MIT preference of returning KEY_EXP vs. NAME_EXP
Phil Pishioneri
pgp at psu.edu
Mon Jan 19 14:48:13 EST 2009
If both a client principal and its password have expired, is the fact
that the MIT KDC prefers to return a status of KDC_ERR_KEY_EXP over
KDC_ERR_NAME_EXP a deliberate choice, or just how it is? And if "how it
is", would a bug (to switch the two checks around) be likely to be accepted?
The code in question is in kdc/kdc_util.c, validate_as_request(),
approx. line 907 on the trunk:
/* The client's password must not be expired, unless the server is
a KRB5_KDC_PWCHANGE_SERVICE. */
if (client.pw_expiration&& client.pw_expiration< kdc_time&&
!isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
*status = "CLIENT KEY EXPIRED";
#ifdef KRBCONF_VAGUE_ERRORS
return(KRB_ERR_GENERIC);
#else
return(KDC_ERR_KEY_EXP);
#endif
}
/* The client must not be expired */
if (client.expiration&& client.expiration< kdc_time) {
*status = "CLIENT EXPIRED";
#ifdef KRBCONF_VAGUE_ERRORS
return(KRB_ERR_GENERIC);
#else
return(KDC_ERR_NAME_EXP);
#endif
}
Heimdal appears to prefer NAME_EXP; don't know how other KDCs act.
-Phil
(Asked on kerberos instead of krbdev since it could be a policy question.)
More information about the Kerberos
mailing list