fast and patypes in KRB-ERROR
Srinivas.Cheruku at CyberSafe.com
Thu May 14 08:35:53 EDT 2009
I noticed that when kinit is used without -T option (e.g. no fast used) and if the user principal requires pre-authentication, I see the following pa-types in KRB-ERROR e-data:
2. PA-FX-COOKIE (not sure why this is required ?? anyway, I think MIT uses some dummy cookie)
I think it might be good to include PA-ENCRYPTED-CHALLENGE also when user principal requires pre-authentication.
This would means that fast enabled kinit can do the following:
1. kinit can send a non-fast request to KDC
2. KDC replies with KRB-ERROR containing the above pa-types along with PA-ENCRYPTED-CHALLENGE (for user principals having pre-auth required set)
3. kinit can check for PA-FX-FAST and PA-ENCRYPTED-CHALLENGE and send a fast request containing pa-enc-challenge padata.
4. KDC sends tgt using FAST on successful authentication
I know that MIT kinit doesn't support this behaviour but other vendors can support this.
Any advice or issues you foresee?
More information about the krbdev