issue with preauth processing

ghudson@MIT.EDU ghudson at MIT.EDU
Tue Oct 27 14:03:10 EDT 2009

> Basically, the question is whether we take that gic option call as
> an optimization or security constraint.  Most people who have used
> it in the past have been looking for an optimization.

When I first read this, I took it as reasonable, but on
reconsideration I'm not sure.

My understanding is that prior to 1.7, we never continued after
PREAUTH_FAILED, so anyone calling
krb5_get_init_creds_opt_set_preauth_list was getting both an
optimization and a restriction.  So, even if people were "looking for"
an optimization, that's not what we were getting.  I would say that
1.7 introduced an incompatible change to that API.  If that's correct,
then the most correct thing to do is (1) fix that in 1.7.1, and (2)
add a new API for optimistic preauth.

More information about the krbdev mailing list