Disabling PA-REQ-ENC-PA-REP (149) preauth?
Greg Hudson
ghudson at MIT.EDU
Sat Jan 14 13:18:59 EST 2012
On 01/14/2012 10:04 AM, Aleksander Adamowski wrote:
> All is well, but the problem is that the latest trunk version of
> libkrb5 seems to use an experimental PA-REQ-ENC-PA-REP (149) pre
> authentication (with an empty preauth value) that's currently part of
> a draft specification for Kerberos Referrals
> (http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-13).
>
> Obviously, Apache DS's Kerberos protocol handler doesn't yet know
> about such preauth and returns an error message.
>
> Is there a way to disable this behaviour in libkrb5?
No, there's no way to turn this off. As discussed in RFC 4120 sections
1.5.2 and 5.2.7, the krb5 protocol uses pa-data values for more than
just pre-authentication. This one indicates that the client can accept
an extra ASN.1 field in the encrypted reply.
KDC implementations must ignore unrecognized padata fields. This
requirement is a fundamental basis of krb5 protocol extensibility; there
is really no way implementations can work around or accomodate a failure
to do so.
More information about the krbdev
mailing list