issue with preauth processing

Will Fiveash William.Fiveash at
Wed Oct 21 19:46:33 EDT 2009

I have an issue with the following behavior.  I want to limit the
preauths tried by libkrb to only PKINIT types.  What I find is that
libkrb5 will fall back to trying KRB5_PADATA_ENC_TIMESTAMP if the all
the attempts to do PKINIT preauth fail.  This doesn't seem like correct
behavior if I've used krb5_get_init_creds_opt_set_preauth_list() to
specify the preauths to try.  Here's how I tried to limit the preauths

        krb5_preauthtype pk_pa_list[] = {

        /* limit Preauth types to just those for PKINIT */
        krb5_get_init_creds_opt_set_preauth_list(&opts, pk_pa_list, 4);

        code = krb5_get_init_creds_password(kmd->kcontext,
            NULL, /* clear text passwd */
            pam_krb5_prompter, /* prompter */
            pamh, /* prompter data */
            0, /* start time */
            NULL, /* defaults to krbtgt at REALM */

I think the problem occurs here in krb5_get_init_creds()

line 1512:
    if ((ret = krb5_do_preauth(context,
                   encoded_request_body, encoded_previous_request,
                   local_as_reply->padata, &kdc_padata,
                   &salt, &s2kparams, &etype, &as_key, prompter,
                   prompter_data, gak_fct, gak_data,
                   &get_data_rock, options))) {

The logic ignores the krb5_gic_opt_ext *options that is passed in to
krb5_get_init_creds().  Thoughts?

Will Fiveash
Sun Microsystems Inc.
Sent from mutt, a sweet ASCII MUA

More information about the krbdev mailing list