workaround for 1.0.x bogus PA-PW-SALT (Re: Compatibility with 1.0.x)

Tom Yu tlyu at MIT.EDU
Thu Apr 19 13:06:55 EDT 2012

Nathaniel McCallum <npmccallum at> writes:

> In working on the more flexible responder interface I came across a
> section of code in lib/krb5/krb/preauth2.c, starting on line 1491, that
> is "really gross" but provides compatibility with 1.0.x KDCs. Is this
> code still necessary? Or can it be removed?

It's not clear whether it's still necessary, but if you want to remove
it, we should document the underlying interop problem somewhere
useful.  Also, I'm fairly sure that some other stuff crept into that
switch statement since that comment was written, and it may no longer
be safe to simply delete the entire switch statement.

The problem was serious; as I recall, it caused login failures that
were very difficult to diagnose because the client kept trying to use
the wrong salt with a user's password.

tree e3bc0cd008db0b916ec235e7735b8d15bf45c352
parent a064f9b6c8f3c00d00b791bc7b8c13706d6b8d8d
author tlyu <tlyu at dc483132-0cff-0310-8789-dd5450dbe970> 939949698 +0000
committer tlyu <tlyu at dc483132-0cff-0310-8789-dd5450dbe970> 939949698 +0000

	* preauth2.c (krb5_do_preauth): Add gross workaround for 1.0.x KDC
	returning a bogus PA-PW-SALT in a KRB-ERROR message when a
	principal requires preauth: ignore salt hints if an etype_info is

git-svn-id: svn:// dc483132-0cff-0310-8789-dd5450dbe970

More information about the krbdev mailing list