[krbdev.mit.edu #8537] Preauthentication should continue after failure
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri Jan 13 12:54:10 EST 2017
I forgot to note a possible failure scenario we should handle: the KDC
could return a mechanism-specific error with error padata, like PKINIT's
KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. In this case we invoke the
module's tryagain handler; if that fails, we should also go back to the
original METHOD-DATA and try again.
I also forgot to note the main motivation for this ticket, aside from
the SHOULD clause in RFC 6113 section 2. When we introduce the SPAKE
preauth mechanism, it will eventually become possible for SPAKE to fail
on the client side in the second hop due to second-factor negotiation.
We want to try any other preauth mechanisms offered by the KDC if this
happens.
More information about the krb5-bugs
mailing list