issue with preauth processing

Will Fiveash William.Fiveash at
Fri Oct 23 18:04:57 EDT 2009

On Fri, Oct 23, 2009 at 04:50:35PM -0500, Will Fiveash wrote:
> On Fri, Oct 23, 2009 at 04:48:58PM -0400, Sam Hartman wrote:
> > The preauth framework strongly encourages implementations to take
> > optimistic pre-auth as a hint.  If you try some pre-auth and get a
> > PREAUTH_REQUIRED or PREAUTH_FAILED error, then you should take that as
> > the KDC requesting you start over.  Now, if that second round fails,
> > you should probably give up.
> But consider pam_krb5 and prompting.  There may be situations where
> pam_krb5 wants to restrict libkrb and it's preauth plugins to only
> PKINIT and it's associated prompts.  How can that be done?

In addition I notice that kpasswd is prompting for a PIN if the system 
is configured to do PKINIT.  I notice in the source for kpasswd there is
a call to:

static void get_init_creds_opt_init( krb5_get_init_creds_opt *outOptions )
    krb5_preauthtype    preauth[] = { KRB5_PADATA_ENC_TIMESTAMP };
    krb5_enctype        etypes[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC};
    krb5_get_init_creds_opt_set_address_list(outOptions, NULL);
    krb5_get_init_creds_opt_set_etype_list( outOptions, etypes, sizeof(etypes)/sizeof(krb5_enctype) );
    krb5_get_init_creds_opt_set_preauth_list(outOptions, preauth, sizeof(preauth)/sizeof(krb5_preauthtype) );

Seems to me that the intention is to restrict the preauth to only

Will Fiveash
Sun Microsystems               Office x64079/512-401-1079
Austin, TX, 78727              (TZ=CST6CDT), USA
Internal Solaris Kerberos/GSS/SASL website:

More information about the krbdev mailing list