new krb5kdc -4 <option>?

John Hascall john at
Tue Jan 6 09:12:15 EST 2004

As a step along the way of our strategy to (finally!) quit supporting K4
we stopped issuing TGTs via K4 today.  This meant we only had to have a
"flag day" for "login applications"  -- which now all get a TGT via K5
and use krb524 (if needed) to convert that to a K4 TGT for old K4 apps.

Anyway, I was a little surprised that something like this wasn't an option
to the kdc, but it was fairly trivial to add it.

[I'd do a diff but we've added other stuff and the changes are quite small]

All in src/kdc/kerberos_v4.c:

#define KDC_V4_NOPREAUTH        3       /* Preauth required disallowed */
#define KDC_V4_APPLICATION      4       /* app requests only (no tgts) */

{ KDC_V4_NOPREAUTH,     "nopreauth"     },
{ KDC_V4_APPLICATION,   "application"   },

In the kerberos_v4() function, just BEFORE:
            if (kdc_v4 == KDC_V4_APPLICATION) {
                lt = klog(L_KRB_PERR,
                "KRB will not handle v4 tgt request from %s",
                /* send an error reply */ 
                req_name_ptr = req_inst_ptr = req_realm_ptr = "";
                kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);

That's it.
If you want, just before that last bit, you can put something like:
            if (blessedHost(client_host)) {
                /* log it if you like  */
            } else
and then write a blessedHost() function (however you see fit) if you
need to allow some exceptions during your transition period.


More information about the krbdev mailing list