[16812] in Kerberos-V5-bugs
[krbdev.mit.edu #9046] requires_hwauth can cause a preauth loop with
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Wed Jan 19 11:20:25 2022
From: "Greg Hudson via RT" <rt-comment@kerborg-prod-app-1.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-1037113-1642609173-389.9046-4-0@kerborg-prod-app-1.mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9046":;
Date: Wed, 19 Jan 2022 11:19:34 -0500
MIME-Version: 1.0
Reply-To: rt-comment@kerborg-prod-app-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Wed Jan 19 11:19:33 2022: Request 9046 was acted upon.
Transaction: Ticket created by ghudson@mit.edu
Queue: krb5
Subject: requires_hwauth can cause a preauth loop with PKINIT
Owner: Nobody
Requestors: ghudson@mit.edu
Status: new
Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9046 >
If an admin sets requires_hwauth on a principal and configures PKINIT but not
a certauth module to set the hw-authent ticket flag, this happens during an AS
request:
1. The client sends an unauthenticated request.
2. The KDC responds with PREAUTH_REQUIRED and a hint list offering PKINIT.
3. The client sends a PKINIT-authenticated request.
4. The KDC validates the PKINIT padata, but determines that the preauth
requirements are not met, so reponds again with PREAUTH_REQUIRED and the same
hint list.
and we repeat again from step 2 until the loop count is detected. This is
similar to issue 7672, but there the problem is a useless hint list. Issue
8879 (certauth) is related because it allows PKINIT to be offered for
requires_hwauth client principals.
The KDC should probably recognize this situation at step 4 (specifically, that
pre-authent is set but not hw-authent), log a specific message about
insufficient preauth, and respond with PREAUTH_FAILED instead of
PREAUTH_REQUIRED.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
