issue with preauth processing
ghudson at MIT.EDU
Tue Oct 27 14:03:10 EDT 2009
> Basically, the question is whether we take that gic option call as
> an optimization or security constraint. Most people who have used
> it in the past have been looking for an optimization.
When I first read this, I took it as reasonable, but on
reconsideration I'm not sure.
My understanding is that prior to 1.7, we never continued after
PREAUTH_FAILED, so anyone calling
krb5_get_init_creds_opt_set_preauth_list was getting both an
optimization and a restriction. So, even if people were "looking for"
an optimization, that's not what we were getting. I would say that
1.7 introduced an incompatible change to that API. If that's correct,
then the most correct thing to do is (1) fix that in 1.7.1, and (2)
add a new API for optimistic preauth.
More information about the krbdev