fast and patypes in KRB-ERROR

[Srinivas Cheruku]

Hi,

I noticed that when kinit is used without -T option (e.g. no fast used) and if the user principal requires pre-authentication, I see the following pa-types in KRB-ERROR e-data:

1.       PA-ENC-TIMESTAMP

2.       PA-FX-COOKIE (not sure why this is required ?? anyway, I think MIT uses some dummy cookie)

3.       PA-ETYPE-INFO2

4.       PA-SAM-RESPONSE

5.       PA-FX-FAST

I think it might be good to include PA-ENCRYPTED-CHALLENGE also when user principal requires pre-authentication.

This would means that fast enabled kinit can do the following:

1.       kinit can send a non-fast request to KDC

2.       KDC replies with KRB-ERROR containing the above pa-types along with PA-ENCRYPTED-CHALLENGE (for user principals having pre-auth required set)

3.       kinit can check for PA-FX-FAST and PA-ENCRYPTED-CHALLENGE and send a fast request containing pa-enc-challenge padata.

4.       KDC sends tgt using FAST on successful authentication

I know that MIT kinit doesn't support this behaviour but other vendors can support this.
Any advice or issues you foresee?

Thanks,
Srini