issue with preauth processing

Will Fiveash William.Fiveash at sun.com
Wed Oct 21 20:01:37 EDT 2009 

On Wed, Oct 21, 2009 at 06:46:33PM -0500, Will Fiveash wrote:
> I have an issue with the following behavior.  I want to limit the
> preauths tried by libkrb to only PKINIT types.  What I find is that
> libkrb5 will fall back to trying KRB5_PADATA_ENC_TIMESTAMP if the all
> the attempts to do PKINIT preauth fail.  This doesn't seem like correct
> behavior if I've used krb5_get_init_creds_opt_set_preauth_list() to
> specify the preauths to try.  Here's how I tried to limit the preauths
> tried:
> 
>         krb5_preauthtype pk_pa_list[] = {
>             KRB5_PADATA_PK_AS_REP,
>             KRB5_PADATA_PK_AS_REQ,
>             KRB5_PADATA_PK_AS_REP_OLD,
>             KRB5_PADATA_PK_AS_REQ_OLD
>         };
> 
>         /* limit Preauth types to just those for PKINIT */
>         krb5_get_init_creds_opt_set_preauth_list(&opts, pk_pa_list, 4);
> 
>         code = krb5_get_init_creds_password(kmd->kcontext,
>             my_creds,
>             me,
>             NULL, /* clear text passwd */
>             pam_krb5_prompter, /* prompter */
>             pamh, /* prompter data */
>             0, /* start time */
>             NULL, /* defaults to krbtgt at REALM */
>             &opts);
> 
> I think the problem occurs here in krb5_get_init_creds()
> 
> line 1512:
>     if ((ret = krb5_do_preauth(context,
>                    &request,
>                    encoded_request_body, encoded_previous_request,
>                    local_as_reply->padata, &kdc_padata,
>                                ^^^^^^^^^^^^^^^^^^^^^^
>                    &salt, &s2kparams, &etype, &as_key, prompter,
>                    prompter_data, gak_fct, gak_data,
>                    &get_data_rock, options))) {
> 
> 
> The logic ignores the krb5_gic_opt_ext *options that is passed in to
> krb5_get_init_creds().  Thoughts?

Actually my analysis above is wrong.  The issue is here where
preauth_to_use is reset:

      if (should_continue_preauth(err_reply->error, loopcount) && retry) {
        /* reset the list of preauth types to try */
        if (preauth_to_use) {
            krb5_free_pa_data(context, preauth_to_use);
            preauth_to_use = NULL;
        }
        preauth_to_use = out_padata;
        out_padata = NULL;
        krb5_free_error(context, err_reply);
        err_reply = NULL;
        ret = sort_krb5_padata_sequence(context,
                        &request.server->realm,
                        preauth_to_use);

Perhaps somewhere there should be code to limit the preauth types to the
intersection of options->preauth_list and out_padata?

-- 
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA

More information about the krbdev mailing list