issue with preauth processing

Sam Hartman hartmans at MIT.EDU
Mon Oct 26 14:38:06 EDT 2009

>>>>> "Will" == Will Fiveash <William.Fiveash at> writes:

    Will> On Fri, Oct 23, 2009 at 04:50:35PM -0500, Will Fiveash wrote:
    >> On Fri, Oct 23, 2009 at 04:48:58PM -0400, Sam Hartman wrote:
> > The preauth framework strongly encourages implementations to take
    >> > optimistic pre-auth as a hint.  If you try some pre-auth and
    >> get a > PREAUTH_REQUIRED or PREAUTH_FAILED error, then you
    >> should take that as > the KDC requesting you start over.  Now,
    >> if that second round fails, > you should probably give up.
    >> But consider pam_krb5 and prompting.  There may be situations
    >> where pam_krb5 wants to restrict libkrb and it's preauth
    >> plugins to only PKINIT and it's associated prompts.  How can
    >> that be done?

    Will> In addition I notice that kpasswd is prompting for a PIN if
    Will> the system is configured to do PKINIT.  I notice in the
    Will> source for kpasswd there is a call to:

    Will> static void get_init_creds_opt_init( krb5_get_init_creds_opt
    Will> *outOptions ) { krb5_preauthtype preauth[] = {
    Will> KRB5_PADATA_ENC_TIMESTAMP }; krb5_enctype etypes[] =
    Will> krb5_get_init_creds_opt_set_address_list(outOptions, NULL);
    Will> krb5_get_init_creds_opt_set_etype_list( outOptions, etypes,
    Will> sizeof(etypes)/sizeof(krb5_enctype) );
    Will> krb5_get_init_creds_opt_set_preauth_list(outOptions,
    Will> preauth, sizeof(preauth)/sizeof(krb5_preauthtype) );
    Will> }

Will> Seems to me that the intention is to restrict the preauth to only

No, that sounds like optimistic pre-auth not a restriction.
Our kpasswd doesn't seem to have those calls.
The call to set the list of enctypes seems particularly unfortunate.

More information about the krbdev mailing list