[3028] in Kerberos-V5-bugs
Re: krb5-kdc/682: KDC shouldn't check server principal for preauth requirements
daemon@ATHENA.MIT.EDU (Theodore Y. Ts'o)
Wed Jan 13 00:24:11 1999
Date: Wed, 13 Jan 1999 00:24:01 -0500
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: krb5-bugs@MIT.EDU, fcusack@iconnet.net
Cc: krb5-unassigned@RT-11.MIT.EDU, gnats-admin@RT-11.MIT.EDU,
krb5-prs@RT-11.MIT.EDU, marc@MIT.EDU
In-Reply-To: fcusack@iconnet.net's message of Tue, 12 Jan 1999 13:09:02 -0500,
<199901121809.NAA23641@rt-11.MIT.EDU>
Date: Tue, 12 Jan 1999 13:10:23 -0500 (EST)
From: fcusack@iconnet.net
KDC checks the preauth flags on the server principal when
issuing tickets. If preauth (or hwauth) is required, and
the appropriate flag is not set in the ticket request, the
new ticket is not issued. This check should not be done
for server principals, based on email from Marc Horowitz.
This is correct behaviour --- a system administrator may be so paranoid
that they want it to be the case that tickets for some highly privileged
service, say:
vault/door.fort-nox.gov@FORT-KNOX.GOV
should only be issued if the ticket-granting ticket was originally
obtained using hardware preauthentcation.
I don't understand why you had this attribute (REQUIRES_HW_PREAUTH) set
on the principal if you didn't want this to be the case. Why not clear
the attribute from the database, instead of commenting out the check in
the KDC database?
- Ted
