workaround for 1.0.x bogus PA-PW-SALT (Re: Compatibility with 1.0.x)
tlyu at MIT.EDU
Thu Apr 19 13:06:55 EDT 2012
Nathaniel McCallum <npmccallum at redhat.com> writes:
> In working on the more flexible responder interface I came across a
> section of code in lib/krb5/krb/preauth2.c, starting on line 1491, that
> is "really gross" but provides compatibility with 1.0.x KDCs. Is this
> code still necessary? Or can it be removed?
It's not clear whether it's still necessary, but if you want to remove
it, we should document the underlying interop problem somewhere
useful. Also, I'm fairly sure that some other stuff crept into that
switch statement since that comment was written, and it may no longer
be safe to simply delete the entire switch statement.
The problem was serious; as I recall, it caused login failures that
were very difficult to diagnose because the client kept trying to use
the wrong salt with a user's password.
author tlyu <tlyu at dc483132-0cff-0310-8789-dd5450dbe970> 939949698 +0000
committer tlyu <tlyu at dc483132-0cff-0310-8789-dd5450dbe970> 939949698 +0000
* preauth2.c (krb5_do_preauth): Add gross workaround for 1.0.x KDC
returning a bogus PA-PW-SALT in a KRB-ERROR message when a
principal requires preauth: ignore salt hints if an etype_info is
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-1@11861 dc483132-0cff-0310-8789-dd5450dbe970
More information about the krbdev