issue with preauth processing

Sam Hartman hartmans at MIT.EDU
Fri Oct 23 16:48:58 EDT 2009

The preauth framework strongly encourages implementations to take
optimistic pre-auth as a hint.
If you try some pre-auth and get a PREAUTH_REQUIRED or PREAUTH_FAILED error, then you should take that as the KDC requesting you start over.
Now, if that second round fails, you should probably give up.

Basically, the question is whether we take that gic option call as an
optimization or security constraint.  Most people who have used it in
the past have been looking for an optimization.

More information about the krbdev mailing list