[30637] in Kerberos
MIT preference of returning KEY_EXP vs. NAME_EXP
daemon@ATHENA.MIT.EDU (Phil Pishioneri)
Mon Jan 19 14:49:12 2009
Message-ID: <4974D8FD.5080803@psu.edu>
Date: Mon, 19 Jan 2009 14:48:13 -0500
From: Phil Pishioneri <pgp@psu.edu>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
If both a client principal and its password have expired, is the fact
that the MIT KDC prefers to return a status of KDC_ERR_KEY_EXP over
KDC_ERR_NAME_EXP a deliberate choice, or just how it is? And if "how it
is", would a bug (to switch the two checks around) be likely to be accepted?
The code in question is in kdc/kdc_util.c, validate_as_request(),
approx. line 907 on the trunk:
/* The client's password must not be expired, unless the server is
a KRB5_KDC_PWCHANGE_SERVICE. */
if (client.pw_expiration&& client.pw_expiration< kdc_time&&
!isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
*status = "CLIENT KEY EXPIRED";
#ifdef KRBCONF_VAGUE_ERRORS
return(KRB_ERR_GENERIC);
#else
return(KDC_ERR_KEY_EXP);
#endif
}
/* The client must not be expired */
if (client.expiration&& client.expiration< kdc_time) {
*status = "CLIENT EXPIRED";
#ifdef KRBCONF_VAGUE_ERRORS
return(KRB_ERR_GENERIC);
#else
return(KDC_ERR_NAME_EXP);
#endif
}
Heimdal appears to prefer NAME_EXP; don't know how other KDCs act.
-Phil
(Asked on kerberos instead of krbdev since it could be a policy question.)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
