[krbdev.mit.edu #7672] KDC can emit PREAUTH_REQUIRED error with useless hint list
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Mon Feb 12 12:08:47 EST 2018
This scenario can also occur if the request enctypes list and the
client keys do not overlap, e.g.:
make testrealm
kadmin.local cpw -pw user -e aes256-cts user
kadmin.local modprinc +preauth user
in krb5.conf: [libdefaults] default_tkt_enctypes = aes128-cts
kinit user
We tolerate the lack of a client key in case we can use PKINIT or OTP,
but when we can't offer one of those we offer the same meaningless
133/136 hint list as in the +hwauth case.
More information about the krb5-bugs
mailing list