[16827] in Kerberos-V5-bugs
[krbdev.mit.edu #9037] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Thu Mar 17 14:49:12 2022
From: "Greg Hudson via RT" <rt@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-550065-1647542916-244.9037-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9037":;
Date: Thu, 17 Mar 2022 14:48:36 -0400
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9037 >
Try harder to avoid password change replay errors
Commit d7b3018d338fc9c989c3fa17505870f23c3759a8 (ticket 7905) changed
change_set_password() to prefer TCP. However, because UDP_LAST falls
back to UDP after one second, we can still get a replay error due to a
dropped packet, before the TCP layer has a chance to retry.
Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
TCP fails completely without reaching a server. In sendto_kdc.c,
implement an ONLY_UDP transport strategy to allow the UDP fallback.
https://github.com/krb5/krb5/commit/6297788e24cefa8f3fdd36f514e2e6569fa7b34a
Author: Greg Hudson <ghudson@mit.edu>
Commit: 6297788e24cefa8f3fdd36f514e2e6569fa7b34a
Branch: master
src/lib/krb5/os/changepw.c | 9 ++++++++-
src/lib/krb5/os/os-proto.h | 1 +
src/lib/krb5/os/sendto_kdc.c | 12 ++++++++----
3 files changed, 17 insertions(+), 5 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
