preauth module use_count check preventing new password retry
Chris Hecker
checker at d6.com
Wed Feb 22 02:14:01 EST 2012
The check for if (module->use_count > 0) in preauth2.c is kind of hosing
me, so I'm wondering what I'm doing wrong here...
I have +requires_preauth set on a princ. My game uses a keytab and a
ccache to store the user's login information locally. Here are the
repro steps for my problem:
0. The game creates a krb5_context.
1. Give my game a princ and the wrong password.
2. The game creates a keytab with this info, and an empty ccache.
3. The game calls krb5_get_init_creds_keytab with this keytab and
ccache as the destination.
4. The call fails with KRB5_PREAUTH_FAILED
5. The game closes the bad keytab and (emtpy) ccache, deletes the
keytab and ccache files.
6. Give the princ and right password.
7. Same as 2, with correct password.
8. Same as 3, with new keytab.
9. This time, since module->use_count > 0, the preauth process is never
called with the right key, so the preauth fails again.
10. I am sad.
Do I need to toast the whole krb5_context in step 5? That seems
extreme, since I can use these contexts with multiple different
auth_contexts and whatnot, they seem pretty independent of the current
state of the login process, etc.
There's a krb5-int.h function krb5_clear_preauth_context_use_counts,
which doesn't do me much good.
Chris
More information about the Kerberos
mailing list