[16586] in Kerberos_V5_Development
Re: question about krb5_verify_init_creds() and verify_ap_req_nofail
daemon@ATHENA.MIT.EDU (Will Fiveash)
Tue Jan 11 15:53:45 2011
Date: Tue, 11 Jan 2011 14:52:49 -0600
From: Will Fiveash <will.fiveash@oracle.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20110111205248.GA22291@sun.com>
Mail-Followup-To: Greg Hudson <ghudson@mit.edu>,
MIT Kerberos Dev List <krbdev@mit.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1294769118.2456.429.camel@ray>
Cc: MIT Kerberos Dev List <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Tue, Jan 11, 2011 at 01:05:18PM -0500, Greg Hudson wrote:
> On Mon, 2011-01-10 at 18:31 -0500, Will Fiveash wrote:
> > What
> > confuses me is that the MIT code (and Solaris to a lesser degree) does a
> > number of things that could cause krb5_verify_init_creds() to return an
> > error before checking the setting of KRB5_CONF_VERIFY_AP_REQ_NOFAIL and
> > I'm wondering if this is correct. Basically shouldn't
> > verify_ap_req_nofail be checked first and if it is false just return 0?
>
> I believe the code matches the intent, which is:
>
> By default, succeed if and only if:
> - No keying material is available
> - A key is available and verification using that key succeeds
> If verify_ap_req_nofail is set, succeed if and only if:
> - A key is available and verification using that key succeeds
>
> So, only the specific failure of "no keying material is available"
> should consult the value of verify_ap_req_nofail.
But if a default keytab does not exist then:
if (keytab_arg) {
keytab = keytab_arg;
} else {
if ((ret = krb5_kt_default(context, &keytab)))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
goto cleanup;
}
will goto cleanup and cause an error to be returned. If
verify_ap_req_nofail is not set, why should the lack of a keytab cause
krb5_verify_init_creds() to return an error?
--
Will Fiveash
Oracle
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
