[krbdev.mit.edu #8654] git commit
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Mon Apr 9 12:09:14 EDT 2018
Restrict pre-authentication fallback cases
Add a new callback disable_fallback() and call it from each clpreauth
module when it generates a client message using credentials to
authenticate. (For SPAKE, this is the message responding to a
challenge; for all other current mechanisms, it is the first and only
client message.) If disable_fallback() is called, do not try another
mechanism after a KDC error.
Remove k5_reset_preauth_types_tried() and its call sites, so that
preauth mechanisms which are tried optimistically will no longer be
retried after a failure.
https://github.com/krb5/krb5/commit/7a24a088c16d326127dd2b29084d4ca085c70d10
Author: Greg Hudson <ghudson at mit.edu>
Commit: 7a24a088c16d326127dd2b29084d4ca085c70d10
Branch: master
src/include/krb5/clpreauth_plugin.h | 14 +++++
src/lib/krb5/krb/get_in_tkt.c | 21 +++-----
src/lib/krb5/krb/init_creds_ctx.h | 1 +
src/lib/krb5/krb/int-proto.h | 3 -
src/lib/krb5/krb/preauth2.c | 23 +++-----
src/lib/krb5/krb/preauth_ec.c | 1 +
src/lib/krb5/krb/preauth_encts.c | 2 +
src/lib/krb5/krb/preauth_otp.c | 4 ++
src/lib/krb5/krb/preauth_sam2.c | 1 +
src/plugins/preauth/pkinit/pkinit_clnt.c | 1 +
src/plugins/preauth/spake/spake_client.c | 4 ++
src/plugins/preauth/test/cltest.c | 11 ++++
src/tests/t_preauth.py | 88 ++++++++++++++++++++++++++----
src/tests/t_spake.py | 9 +---
14 files changed, 134 insertions(+), 49 deletions(-)
More information about the krb5-bugs
mailing list