MIT preference of returning KEY_EXP vs. NAME_EXP

Phil Pishioneri pgp at psu.edu
Mon Jan 19 14:48:13 EST 2009


If both a client principal and its password have expired, is the fact 
that the MIT KDC prefers to return a status of KDC_ERR_KEY_EXP over 
KDC_ERR_NAME_EXP a deliberate choice, or just how it is? And if "how it 
is", would a bug (to switch the two checks around) be likely to be accepted?

The code in question is in kdc/kdc_util.c, validate_as_request(), 
approx. line 907 on the trunk:

     /* The client's password must not be expired, unless the server is

       a KRB5_KDC_PWCHANGE_SERVICE. */

     if (client.pw_expiration&&  client.pw_expiration<  kdc_time&&

         !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {

         *status = "CLIENT KEY EXPIRED";

#ifdef KRBCONF_VAGUE_ERRORS

         return(KRB_ERR_GENERIC);

#else

         return(KDC_ERR_KEY_EXP);

#endif

     }

     /* The client must not be expired */

     if (client.expiration&&  client.expiration<  kdc_time) {

         *status = "CLIENT EXPIRED";

#ifdef KRBCONF_VAGUE_ERRORS

         return(KRB_ERR_GENERIC);

#else

         return(KDC_ERR_NAME_EXP);

#endif

     }


Heimdal appears to prefer NAME_EXP; don't know how other KDCs act.

-Phil

(Asked on kerberos instead of krbdev since it could be a policy question.)



More information about the Kerberos mailing list