[17461] in Kerberos_V5_Development
Re: Disabling PA-REQ-ENC-PA-REP (149) preauth?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Jan 14 13:19:06 2012
Message-ID: <4F11C713.3070901@mit.edu>
Date: Sat, 14 Jan 2012 13:18:59 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Aleksander Adamowski <krb5@olo.org.pl>
In-Reply-To: <CADTpmS5X_aAzitGZwr6oe5SDqh_5iocDKYa7=pzMZgGw5qcXvA@mail.gmail.com>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 01/14/2012 10:04 AM, Aleksander Adamowski wrote:
> All is well, but the problem is that the latest trunk version of
> libkrb5 seems to use an experimental PA-REQ-ENC-PA-REP (149) pre
> authentication (with an empty preauth value) that's currently part of
> a draft specification for Kerberos Referrals
> (http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-13).
>
> Obviously, Apache DS's Kerberos protocol handler doesn't yet know
> about such preauth and returns an error message.
>
> Is there a way to disable this behaviour in libkrb5?
No, there's no way to turn this off. As discussed in RFC 4120 sections
1.5.2 and 5.2.7, the krb5 protocol uses pa-data values for more than
just pre-authentication. This one indicates that the client can accept
an extra ASN.1 field in the encrypted reply.
KDC implementations must ignore unrecognized padata fields. This
requirement is a fundamental basis of krb5 protocol extensibility; there
is really no way implementations can work around or accomodate a failure
to do so.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
