PA Data and KLApi's

Mike Friedman mikef at ack.Berkeley.EDU
Fri Jan 23 11:23:34 EST 2004

On Wed Jan 21 04:29:07 2004, Sam Hartman said:

>     Brian> Is there a way to send PA data in the request the first
>     Brian> time itself
> Possibly.  As you point out the API calls do have parameters for this;
> you can pass in a set of padata types to use.
> But we recommend against doing this because it is fairly untested and
> because it will become less useful in the future as more padata types
> are added.  If you do try using these API calls and they don't work,
> please open bugs.

Well, I don't know if this is a bug or just a symptom of my lack of
understanding of what's going on:

I have code that does web proxy Kerberos authentication, using the MIT
API.  I've always wanted to remove the extra round trip caused by the
'NEEDS PREAUTH' KDC reply requiring the client to send a second AS request
with preauth data.  So, yesterday (after reading the correspondence on
the krbdev list) I changed my code to supply KRB5_PADATA_ENC_TIMESTAMP
in krb5_get_in_tkt_with_password.

It worked fine (TGT issued on initial request) until a user with an old
principal that had been created under V4, whose key is still V4 salted
('DES cbc mode with CRC-32, Version 4') reported that his authentication
failed.  The KDC log did, indeed, show 'preauth failed'.

What I don't understand is why doing the preauth in response to 'NEEDS
PREAUTH' works for this V4 key, but doing preauth on the initial AS
request doesn't.  I had to back out my change, because we still do have
a bunch of old V4-created principals.

I can live with this (doing it my original way), but I would like to
understand why I got these results.  And if there's some KDC
configuration that would 'correct' this, I'd like to know that as well.

BTW:  my KDC is running 1.2.7.



Mike Friedman                             System and Network Security
mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
1-510-642-1410                            University of California at Berkeley

More information about the krbdev mailing list