preauth (I'm a Roomba in a 2'x2' room)

Jeff Blaine jblaine at kickflop.net
Tue Apr 27 22:53:56 EDT 2010 

I still can't make any sense of what is going on here.
What is pa type 95?  85?  Neither are mentioned in
src/include/krb5/krb5.h.  Does this make any sense to
anyone?

"myplugin" is registered, "illegally" for testing only,
in krb5.h as:

     #define KRB5_KEYUSAGE_MYPLUGIN_CLIENT 57 /* jblaine */
     #define KRB5_KEYUSAGE_MYPLUGIN_KDC 58 /* jblaine */
     #define KRB5_PADATA_MYPLUGIN 150 /* jblaine */

Here's what happens:

[ krb5kdc.log ]

krb5kdc[9605](info): initialized realm MYREALM.OUR.ORG
krb5kdc[9605](info): preauth method timestamp "valid"
krb5kdc[9605](info): preauth method FAST "valid"
krb5kdc[9605](info): preauth method etype-info "valid"
krb5kdc[9605](info): preauth method etype-info2 "valid"
krb5kdc[9605](info): preauth method pw-salt "valid"
krb5kdc[9605](info): preauth method sam-response "valid"
krb5kdc[9605](info): preauth method sam-challenge "valid"
krb5kdc[9605](info): preauth method pac-request "valid"
krb5kdc[9605](info): preauth method Encrypted challenge "valid"
krb5kdc[9605](info): preauth method myplugin "valid"
...

[ here I initiate kinit on client using same codebase+install ]

[ for reference below, type 0x2 is KRB5_PADATA_ENC_TIMESTAMP  ]
[ and type 0x13 is KRB5_PADATA_SAM_RESPONSE                   ]

...
krb5kdc[9606](debug): checking padata
krb5kdc[9606](debug): .. pa_type 0x95
krb5kdc[9606](debug): .. .. failed to find_pa_system
krb5kdc[9606](info): PREAUTH xx.yy.10.113: VALID: authtime 1272421575, 
jblaine at MYREALM.OUR.ORG for krbtgt/MYREALM.OUR.ORG at MYREALM.OUR.ORG
krb5kdc[9606](debug): client needs preauth, no hw preauth; request has 
no preauth, no hw preauth
krb5kdc[9606](debug): pa_hint of type 0x2
krb5kdc[9606](debug): pa_hint of type 0x13
krb5kdc[9606](info): AS_REQ (4 etypes {18 17 16 23}) xx.yy.10.113: 
NEEDED_PREAUTH: jblaine at MYREALM.OUR.ORG for 
krbtgt/MYREALM.OUR.ORG at MYREALM.OUR.ORG, Additional pre-authentication 
required
krb5kdc[9606](debug): checking padata
krb5kdc[9606](debug): .. pa_type 0x85
krb5kdc[9606](debug): .. .. failed to find_pa_system()
krb5kdc[9606](debug): .. pa_type 0x2
krb5kdc[9606](debug): .. .. type 0x2 is timestamp
krb5kdc[9606](debug): .. .. .. ok
krb5kdc[9606](debug): .. pa_type 0x95
krb5kdc[9606](debug): .. .. failed to find_pa_system()
krb5kdc[9606](info): PREAUTH xx.yy.10.113: VALID: authtime 1272421578, 
jblaine at MYREALM.OUR.ORG for krbtgt/MYREALM.OUR.ORG at MYREALM.OUR.ORG

More information about the krbdev mailing list