[301] in Kerberos-V5-bugs
Bad interaction between salts and preauthentication
tytso@ATHENA.MIT.EDU (tytso@ATHENA.MIT.EDU)
Tue Mar 9 20:02:31 1993
In get_in_tkt(), if preauthentication is specified, we have to get the
user's key before we get the hint from the KDC as to which salting
algorithm to use. Currently, we use the default salt. But if that's
not correct, we lose.
Problems that make this hard to fix:
1) The key_proc() routine, since it can potentially do kerboard I/O,
can only be called once.
2) The key_proc() routine takes a krb5_pa_data ** as an argument, and
does the hint decoding. Badness; it should take the salt as
input, and get_in_tkt() should be responsible for doing the KDC
hit decoding.
Fix is to redo the key_proc() signature, and make get_in_tkt() have a
list of salting algorithms to try, under an #ifdef. (Likeliest thing to
try is the default salt of our current realm name, and no salt, which is
used by V4. It still doesn't help us in the case where we are changing
realm names.)
