preauth module use_count check preventing new password retry
Chris Hecker
checker at d6.com
Wed Feb 22 02:23:29 EST 2012
Deleting the krb5_contexts on the thread that talks to the kdc fixes
this, but seems hacky.
Chris
On 2012/02/21 23:14, Chris Hecker wrote:
>
> The check for if (module->use_count > 0) in preauth2.c is kind of hosing
> me, so I'm wondering what I'm doing wrong here...
>
> I have +requires_preauth set on a princ. My game uses a keytab and a
> ccache to store the user's login information locally. Here are the
> repro steps for my problem:
>
> 0. The game creates a krb5_context.
> 1. Give my game a princ and the wrong password.
> 2. The game creates a keytab with this info, and an empty ccache.
> 3. The game calls krb5_get_init_creds_keytab with this keytab and
> ccache as the destination.
> 4. The call fails with KRB5_PREAUTH_FAILED
> 5. The game closes the bad keytab and (emtpy) ccache, deletes the
> keytab and ccache files.
> 6. Give the princ and right password.
> 7. Same as 2, with correct password.
> 8. Same as 3, with new keytab.
> 9. This time, since module->use_count > 0, the preauth process is never
> called with the right key, so the preauth fails again.
> 10. I am sad.
>
> Do I need to toast the whole krb5_context in step 5? That seems
> extreme, since I can use these contexts with multiple different
> auth_contexts and whatnot, they seem pretty independent of the current
> state of the login process, etc.
>
> There's a krb5-int.h function krb5_clear_preauth_context_use_counts,
> which doesn't do me much good.
>
> Chris
>
More information about the Kerberos
mailing list