non-ascii password in kerberos authentication

Xu Qiang Qiang.Xu at fujixerox.com
Fri Sep 14 06:35:33 EDT 2007 

Forgot to mention that the code related to this part is: 
==============================================
static krb5_error_code
KRB5_CALLCONV
krb5_nullpassword_prompter(
    krb5_context ctx,
    void *data,
    const char *name,
    const char *banner,
    int num_prompts,
    krb5_prompt prompts[]
    )
{
    int i;
    krb5_prompt_type *types;
    krb5_error_code rc =
        krb5_nullpassword_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
    if (!rc && (types = krb5_get_prompt_types(ctx)))
        for (i = 0; i < num_prompts; i++)
            if ((types[i] == KRB5_PROMPT_TYPE_PASSWORD) ||
                (types[i] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN));
	    {
	    }
    return rc;
}
 ......
    case INIT_PW:
		code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
					password, krb5_nullpassword_prompter, 0,
					opts->starttime,
					opts->service_name,
					&options);
  ......
==============================================
But the return value of "code" is always KRB5KDC_ERR_PREAUTH_FAILED. 

Hope someone could help,
Xu Qiang

> -----Original Message-----
> From: krbdev-bounces at mit.edu 
> [mailto:krbdev-bounces at mit.edu]On Behalf Of Xu Qiang
> Sent: Friday, September 14, 2007 5:14 PM
> To: krbdev at mit.edu
> Subject: non-ascii password in kerberos authentication
> 
> 
> Hi, all:
> 
> Our printers are using krb5 developed by MIT as a client for 
> kerberos authentication. 
> 
> Recently, i found that when a user tried to log into the 
> printer against Windows 2003 Server running kerberos service, 
> it will fail if his/her password contains non-ascii 
> characters. However, it will succeed if only the username 
> contains non-ascii characters. 
> 
> There are two users with <username>/<password> in ADS as:
> 1. "stmêé/Fair123"
> This can be authenticated.
> 
> 2. "stm123/êéFair123"
> This cannot be authenticated.
> 
> Although kerberos cannot authenticate the second one, LDAP 
> can. That shows that kerberos algorithm still has some defects in it.
> 
> I looked at the source code, and found the same algorithm is 
> used to convert to latin characters to utf characters, for 
> both username and password. So essentially it should work for 
> password, since username containing non-ascii chars can be 
> passed, right?
> 
> I got confused and want to know if any extra work need be 
> done for password having non-ascii chars in it.
> 
> TIA,
> Xu Qiang
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>

More information about the krbdev mailing list