[krbdev.mit.edu #8124] git commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Feb 19 13:41:02 EST 2015
Use preauth timestamp in PKINIT clpreauth module
Use the timestamp from the KDC's preauth-required error when
generating a PKAuthenticator in pa_pkinit_gen_req(), to allow PKINIT
authentication to succeed despite client clock skew if kdc_timesync is
set.
Because this timestamp is unauthenticated (unless FAST is used), an
attacker could induce a legitimate client to generate a
PKAuthenticator for a future timestamp. But replaying this request in
the future would only cause the KDC to issue a ticket which the
attacker cannot decrypt.
https://github.com/krb5/krb5/commit/fcc1076541a3bd9a5fa4db0be6f74888b3f5f193
Author: Greg Hudson <ghudson at mit.edu>
Commit: fcc1076541a3bd9a5fa4db0be6f74888b3f5f193
Branch: master
src/plugins/preauth/pkinit/pkinit_clnt.c | 12 +++++++-----
1 files changed, 7 insertions(+), 5 deletions(-)
More information about the krb5-bugs
mailing list