[krbdev.mit.edu #9046] requires_hwauth can cause a preauth loop with PKINIT
Greg Hudson via RT
rt-comment at kerborg-prod-app-1.mit.edu
Wed Jan 19 11:19:34 EST 2022
Wed Jan 19 11:19:33 2022: Request 9046 was acted upon.
Transaction: Ticket created by ghudson at mit.edu
Queue: krb5
Subject: requires_hwauth can cause a preauth loop with PKINIT
Owner: Nobody
Requestors: ghudson at mit.edu
Status: new
Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9046 >
If an admin sets requires_hwauth on a principal and configures PKINIT but not
a certauth module to set the hw-authent ticket flag, this happens during an AS
request:
1. The client sends an unauthenticated request.
2. The KDC responds with PREAUTH_REQUIRED and a hint list offering PKINIT.
3. The client sends a PKINIT-authenticated request.
4. The KDC validates the PKINIT padata, but determines that the preauth
requirements are not met, so reponds again with PREAUTH_REQUIRED and the same
hint list.
and we repeat again from step 2 until the loop count is detected. This is
similar to issue 7672, but there the problem is a useless hint list. Issue
8879 (certauth) is related because it allows PKINIT to be offered for
requires_hwauth client principals.
The KDC should probably recognize this situation at step 4 (specifically, that
pre-authent is set but not hw-authent), log a specific message about
insufficient preauth, and respond with PREAUTH_FAILED instead of
PREAUTH_REQUIRED.
More information about the krb5-bugs
mailing list