issue with preauth processing
Will Fiveash
William.Fiveash at sun.com
Fri Oct 23 18:04:57 EDT 2009
On Fri, Oct 23, 2009 at 04:50:35PM -0500, Will Fiveash wrote:
> On Fri, Oct 23, 2009 at 04:48:58PM -0400, Sam Hartman wrote:
> > The preauth framework strongly encourages implementations to take
> > optimistic pre-auth as a hint. If you try some pre-auth and get a
> > PREAUTH_REQUIRED or PREAUTH_FAILED error, then you should take that as
> > the KDC requesting you start over. Now, if that second round fails,
> > you should probably give up.
>
> But consider pam_krb5 and prompting. There may be situations where
> pam_krb5 wants to restrict libkrb and it's preauth plugins to only
> PKINIT and it's associated prompts. How can that be done?
In addition I notice that kpasswd is prompting for a PIN if the system
is configured to do PKINIT. I notice in the source for kpasswd there is
a call to:
static void get_init_creds_opt_init( krb5_get_init_creds_opt *outOptions )
{
krb5_preauthtype preauth[] = { KRB5_PADATA_ENC_TIMESTAMP };
krb5_enctype etypes[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC};
krb5_get_init_creds_opt_set_address_list(outOptions, NULL);
krb5_get_init_creds_opt_set_etype_list( outOptions, etypes, sizeof(etypes)/sizeof(krb5_enctype) );
krb5_get_init_creds_opt_set_preauth_list(outOptions, preauth, sizeof(preauth)/sizeof(krb5_preauthtype) );
}
Seems to me that the intention is to restrict the preauth to only
KRB5_PADATA_ENC_TIMESTAMP.
--
Will Fiveash
Sun Microsystems Office x64079/512-401-1079
Austin, TX, 78727 (TZ=CST6CDT), USA
Internal Solaris Kerberos/GSS/SASL website: http://kerberos.sfbay.sun.com
http://opensolaris.org/os/project/kerberos/
More information about the krbdev
mailing list