[2618] in Kerberos-V5-bugs
krb5-kdc/329: V4 requests bypass preauth required in kdc
daemon@ATHENA.MIT.EDU (epeisach@MIT.EDU)
Wed Jan 1 23:20:35 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, epeisach@MIT.EDU
Date: Wed, 1 Jan 1997 23:19:37 -0500
From: epeisach@MIT.EDU
Reply-To: epeisach@MIT.EDU
To: krb5-bugs@MIT.EDU
>Number: 329
>Category: krb5-kdc
>Synopsis: V4 requests bypass preauth required in kdc
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Wed Jan 01 23:20:00 EST 1997
>Last-Modified:
>Originator: Ezra Peisach
>Organization:
mit
>Release: 1.0-development
>Environment:
System: OSF1 kangaroo.mit.edu V3.2 214 alpha
Machine: alpha
>Description:
If you set the preauth required flag on a principal in the
database, you can still get a v4 request.
We need a cutoff switch configurable in the kdc.conf that tells
the kdc to do one of the following:
a) Ignore all v4 request all together (i.e. for security concerns)
b) Return an error for v4 requests on all principals. (i.e. be nice)
c) Preauth principals will not be returned - with error
d) All principals w/ and w/o preauth types are allowed.
>How-To-Repeat:
>Fix:
I am working on code to do the above.
ezra
>Audit-Trail:
>Unformatted: