question about krb5_verify_init_creds() and verify_ap_req_nofail
Greg Hudson
ghudson at MIT.EDU
Tue Jan 11 13:05:18 EST 2011
On Mon, 2011-01-10 at 18:31 -0500, Will Fiveash wrote:
> What
> confuses me is that the MIT code (and Solaris to a lesser degree) does a
> number of things that could cause krb5_verify_init_creds() to return an
> error before checking the setting of KRB5_CONF_VERIFY_AP_REQ_NOFAIL and
> I'm wondering if this is correct. Basically shouldn't
> verify_ap_req_nofail be checked first and if it is false just return 0?
I believe the code matches the intent, which is:
By default, succeed if and only if:
- No keying material is available
- A key is available and verification using that key succeeds
If verify_ap_req_nofail is set, succeed if and only if:
- A key is available and verification using that key succeeds
So, only the specific failure of "no keying material is available"
should consult the value of verify_ap_req_nofail.
More information about the krbdev
mailing list