Disabling PA-REQ-ENC-PA-REP (149) preauth?

Greg Hudson ghudson at MIT.EDU
Sat Jan 14 13:18:59 EST 2012

On 01/14/2012 10:04 AM, Aleksander Adamowski wrote:
> All is well, but the problem is that the latest trunk version of
> libkrb5 seems to use an experimental PA-REQ-ENC-PA-REP (149) pre
> authentication (with an empty preauth value) that's currently part of
> a draft specification for Kerberos Referrals
> (http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-13).
> Obviously, Apache DS's Kerberos protocol handler doesn't yet know
> about such preauth and returns an error message.
> Is there a way to disable this behaviour in libkrb5?

No, there's no way to turn this off.  As discussed in RFC 4120 sections
1.5.2 and 5.2.7, the krb5 protocol uses pa-data values for more than
just pre-authentication.  This one indicates that the client can accept
an extra ASN.1 field in the encrypted reply.

KDC implementations must ignore unrecognized padata fields.  This
requirement is a fundamental basis of krb5 protocol extensibility; there
is really no way implementations can work around or accomodate a failure
to do so.

More information about the krbdev mailing list