returning krb5_rd_req error code to clients

Greg Hudson ghudson at mit.edu
Sat Jun 13 11:11:07 EDT 2015


On 06/13/2015 07:38 AM, Chris Hecker wrote:
> Is it a problem to return the krb5_rd_req error code on failed authn to 
> clients?  Is that revealing information it shouldn't and I should just 
> return success or failure?  Or filter it down to a few safe ones, like 
> clock skew, etc?

The error code might reveal a little information, but not much.  Do note
that the code might be a system errno value, and those aren't portable
across operating systems.

The extended error string can reveal more information, particularly in
1.13; for instance, it can say "Request ticket server %s kvno %d found
in keytab but not with enctype %s".  I don't think we're currently
including the pathname to the keytab, but it might be there in the future.

In general, we wouldn't include information in a server-side error
message which would immediately allow an attack (like "keytab key <hex>
cannot decrypt ticket"), but we might include information which could
conceivably assist in targeting an attack.  It's really an
administrative decision whether to keep information like that private in
the server logs, or send it to the client in order to more easily
resolve problems.


More information about the Kerberos mailing list