[15887] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #7672] KDC can emit PREAUTH_REQUIRED error with

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Feb 12 12:14:07 2018

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-7672@krbdev.mit.edu>
Message-ID: <rt-7672-48254.5.52182118454439@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #7672'":;
Date: Mon, 12 Feb 2018 12:08:47 -0500 (EST)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

This scenario can also occur if the request enctypes list and the 
client keys do not overlap, e.g.:

  make testrealm
  kadmin.local cpw -pw user -e aes256-cts user
  kadmin.local modprinc +preauth user
  in krb5.conf: [libdefaults] default_tkt_enctypes = aes128-cts
  kinit user

We tolerate the lack of a client key in case we can use PKINIT or OTP, 
but when we can't offer one of those we offer the same meaningless 
133/136 hint list as in the +hwauth case.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

home help back first fref pref prev next nref lref last post