[krbdev.mit.edu #2110] MIT KDC fails to handle unknown padata
Tom Yu via RT
rt-comment at krbdev.mit.edu
Sun Feb 1 20:04:34 EST 2004
kdc_preauth.c on the 1.3 branch has the following, which should
prevent the problem.
/* pa system was not found, but principal doesn't require preauth */
if (!pa_found &&
!isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
!isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
return 0;
The code has been there since 1999. Is this a case of the request
containing preauth the that fails to verify, rather than being a case
of preauth being submitted that the KDC does not understand?
---Tom
More information about the krb5-bugs
mailing list