[2990] in Kerberos-V5-bugs
krb5-kdc/652: preauth shouldn't fail if client doesn't need it
daemon@ATHENA.MIT.EDU (fcusack@iconnet.net)
Thu Oct 29 19:33:31 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, fcusack@iconnet.net
Date: Thu, 29 Oct 1998 19:27:14 -0500 (EST)
From: fcusack@iconnet.net
Reply-To: fcusack@iconnet.net
To: krb5-bugs@MIT.EDU
>Number: 652
>Category: krb5-kdc
>Synopsis: preauth shouldn't fail if client doesn't need it
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Oct 29 19:27:01 EST 1998
>Last-Modified:
>Originator: Frank Cusack
>Organization:
Icon CMT Corp.
>Release: krb5-current-19981012
>Environment:
N/A
System: SunOS ratbert 5.6 Generic_105181-09 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
>Description:
If preauth fails because the preauth data from the
client was of an unknown type, and the principal does not
require preauth, then the preauth should be disregarded.
The RFC specifically says this for PA-ENC-TIMESTAMP.
However, the KDC will generate an error if the type is
unknown. (If a known preauth is presented, and fails,
an error should still be generated, regardless of
whether or not the principal requires preauth.)
>How-To-Repeat:
Create a principal that does not require preauth.
Use Cybersafe client to generate a TGT request. Choose
"no preauth". Cybersafe will include pa data of type
237 (disregard the fact that they shouldn't do that).
This will generate a preauth error.
>Fix:
diff -u -r1.8 kdc_preauth.c
--- kdc_preauth.c 1998/10/21 19:09:18 1.8
+++ kdc_preauth.c 1998/10/30 00:24:57
@@ -280,6 +280,13 @@
}
if (pa_ok)
return 0;
+
+ /* pa system was not found, but principal doesn't require preauth */
+ if (!pa_found &&
+ !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
+ !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
+ return 0;
+
if (!pa_found)
com_err("krb5kdc", retval, "no valid preauth type found");
return KRB5KDC_ERR_PREAUTH_FAILED;
>Audit-Trail:
>Unformatted:
