[3027] in Kerberos-V5-bugs
krb5-kdc/682: KDC shouldn't check server principal for preauth requirements
daemon@ATHENA.MIT.EDU (fcusack@iconnet.net)
Tue Jan 12 13:09:15 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, fcusack@iconnet.net
Date: Tue, 12 Jan 1999 13:10:23 -0500 (EST)
From: fcusack@iconnet.net
Reply-To: fcusack@iconnet.net
To: krb5-bugs@MIT.EDU
Cc: fcusack@iconnet.net
>Number: 682
>Category: krb5-kdc
>Synopsis: KDC should only check client principal for preauth requirements
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Jan 12 13:09:01 EST 1999
>Last-Modified:
>Originator: Frank Cusack
>Organization:
Qwest Communications
>Release: krb5-current-19981119
>Environment:
Unix
System: SunOS ratbert 5.6 Generic_105181-09 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
>Description:
KDC checks the preauth flags on the server principal when
issuing tickets. If preauth (or hwauth) is required, and
the appropriate flag is not set in the ticket request, the
new ticket is not issued. This check should not be done
for server principals, based on email from Marc Horowitz.
>How-To-Repeat:
>Fix:
Index: kdc_util.c
===================================================================
RCS file: /icon/d04/cvsroot/3rd-party/krb5-19981119/kdc/kdc_util.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 kdc_util.c
--- kdc_util.c 1998/11/24 17:05:08 1.1.1.1
+++ kdc_util.c 1999/01/12 18:05:27
@@ -1292,6 +1292,7 @@
st_idx++;
}
+#if 0
/* Check for hardware preauthentication */
if (isflagset(server.attributes, KRB5_KDB_REQUIRES_HW_AUTH) &&
!isflagset(ticket->enc_part2->flags,TKT_FLG_HW_AUTH)) {
@@ -1305,6 +1306,7 @@
*status = "NO PREAUTH";
return KRB_ERR_GENERIC;
}
+#endif /* 0 */
/*
* Check local policy
>Audit-Trail:
>Unformatted:
