[2618] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

krb5-kdc/329: V4 requests bypass preauth required in kdc

daemon@ATHENA.MIT.EDU (epeisach@MIT.EDU)
Wed Jan 1 23:20:35 1997

Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, epeisach@MIT.EDU
Date: Wed, 1 Jan 1997 23:19:37 -0500
From: epeisach@MIT.EDU
Reply-To: epeisach@MIT.EDU
To: krb5-bugs@MIT.EDU


>Number:         329
>Category:       krb5-kdc
>Synopsis:       V4 requests bypass preauth required in kdc
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    krb5-unassigned
>State:          open
>Class:          change-request
>Submitter-Id:   unknown
>Arrival-Date:   Wed Jan 01 23:20:00 EST 1997
>Last-Modified:
>Originator:     Ezra Peisach
>Organization:
mit
>Release:        1.0-development
>Environment:
	
System: OSF1 kangaroo.mit.edu V3.2 214 alpha
Machine: alpha
>Description:
	If you set the preauth required flag on a principal in the
	database, you can still get a v4 request.

	We need a cutoff switch configurable in the kdc.conf that tells
the kdc to do one of the following:
	a) Ignore all v4 request all together (i.e. for security concerns)
	b) Return an error for v4 requests on all principals. (i.e. be nice)
	c) Preauth principals will not be returned - with error
	d) All principals w/ and w/o preauth types are allowed.



>How-To-Repeat:
	
>Fix:
	
I am working on code to do the above.
	ezra
>Audit-Trail:
>Unformatted:

home help back first fref pref prev next nref lref last post