preauth module use_count check preventing new password retry

Chris Hecker checker at d6.com
Wed Feb 22 02:23:29 EST 2012


Deleting the krb5_contexts on the thread that talks to the kdc fixes
this, but seems hacky.

Chris


On 2012/02/21 23:14, Chris Hecker wrote:
> 
> The check for if (module->use_count > 0) in preauth2.c is kind of hosing
> me, so I'm wondering what I'm doing wrong here...
> 
> I have +requires_preauth set on a princ.  My game uses a keytab and a
> ccache to store the user's login information locally.  Here are the
> repro steps for my problem:
> 
> 0.  The game creates a krb5_context.
> 1.  Give my game a princ and the wrong password.
> 2.  The game creates a keytab with this info, and an empty ccache.
> 3.  The game calls krb5_get_init_creds_keytab with this keytab and
> ccache as the destination.
> 4.  The call fails with KRB5_PREAUTH_FAILED
> 5.  The game closes the bad keytab and (emtpy) ccache, deletes the
> keytab and ccache files.
> 6.  Give the princ and right password.
> 7.  Same as 2, with correct password.
> 8.  Same as 3, with new keytab.
> 9.  This time, since module->use_count > 0, the preauth process is never
> called with the right key, so the preauth fails again.
> 10.  I am sad.
> 
> Do I need to toast the whole krb5_context in step 5?  That seems
> extreme, since I can use these contexts with multiple different
> auth_contexts and whatnot, they seem pretty independent of the current
> state of the login process, etc.
> 
> There's a krb5-int.h function krb5_clear_preauth_context_use_counts,
> which doesn't do me much good.
> 
> Chris
> 


More information about the Kerberos mailing list