issue with preauth processing
Will Fiveash
William.Fiveash at sun.com
Wed Oct 21 19:46:33 EDT 2009
I have an issue with the following behavior. I want to limit the
preauths tried by libkrb to only PKINIT types. What I find is that
libkrb5 will fall back to trying KRB5_PADATA_ENC_TIMESTAMP if the all
the attempts to do PKINIT preauth fail. This doesn't seem like correct
behavior if I've used krb5_get_init_creds_opt_set_preauth_list() to
specify the preauths to try. Here's how I tried to limit the preauths
tried:
krb5_preauthtype pk_pa_list[] = {
KRB5_PADATA_PK_AS_REP,
KRB5_PADATA_PK_AS_REQ,
KRB5_PADATA_PK_AS_REP_OLD,
KRB5_PADATA_PK_AS_REQ_OLD
};
/* limit Preauth types to just those for PKINIT */
krb5_get_init_creds_opt_set_preauth_list(&opts, pk_pa_list, 4);
code = krb5_get_init_creds_password(kmd->kcontext,
my_creds,
me,
NULL, /* clear text passwd */
pam_krb5_prompter, /* prompter */
pamh, /* prompter data */
0, /* start time */
NULL, /* defaults to krbtgt at REALM */
&opts);
I think the problem occurs here in krb5_get_init_creds()
line 1512:
if ((ret = krb5_do_preauth(context,
&request,
encoded_request_body, encoded_previous_request,
local_as_reply->padata, &kdc_padata,
^^^^^^^^^^^^^^^^^^^^^^
&salt, &s2kparams, &etype, &as_key, prompter,
prompter_data, gak_fct, gak_data,
&get_data_rock, options))) {
The logic ignores the krb5_gic_opt_ext *options that is passed in to
krb5_get_init_creds(). Thoughts?
--
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA
More information about the krbdev
mailing list