issue with preauth processing

Will Fiveash William.Fiveash at sun.com
Fri Oct 23 18:19:38 EDT 2009 

On Fri, Oct 23, 2009 at 05:04:57PM -0500, Will Fiveash wrote:
> On Fri, Oct 23, 2009 at 04:50:35PM -0500, Will Fiveash wrote:
> > On Fri, Oct 23, 2009 at 04:48:58PM -0400, Sam Hartman wrote:
> > > The preauth framework strongly encourages implementations to take
> > > optimistic pre-auth as a hint.  If you try some pre-auth and get a
> > > PREAUTH_REQUIRED or PREAUTH_FAILED error, then you should take that as
> > > the KDC requesting you start over.  Now, if that second round fails,
> > > you should probably give up.
> > 
> > But consider pam_krb5 and prompting.  There may be situations where
> > pam_krb5 wants to restrict libkrb and it's preauth plugins to only
> > PKINIT and it's associated prompts.  How can that be done?
> 
> In addition I notice that kpasswd is prompting for a PIN if the system 
> is configured to do PKINIT.  I notice in the source for kpasswd there is
> a call to:
> 
> static void get_init_creds_opt_init( krb5_get_init_creds_opt *outOptions )
> {
>     krb5_preauthtype    preauth[] = { KRB5_PADATA_ENC_TIMESTAMP };
>     krb5_enctype        etypes[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC};
>     krb5_get_init_creds_opt_set_address_list(outOptions, NULL);
>     krb5_get_init_creds_opt_set_etype_list( outOptions, etypes, sizeof(etypes)/sizeof(krb5_enctype) );
>     krb5_get_init_creds_opt_set_preauth_list(outOptions, preauth, sizeof(preauth)/sizeof(krb5_preauthtype) );
> }
> 
> Seems to me that the intention is to restrict the preauth to only
> KRB5_PADATA_ENC_TIMESTAMP.

I also notice this in src/lib/krb5/krb/s4u_creds.c:

    krb5_get_init_creds_opt_set_preauth_list(opts, ptypes, 1);

where ptypes is:

    krb5_preauthtype ptypes[1] = { KRB5_PADATA_S4U_X509_USER };

Isn't the point to restrict the preauth to just
KRB5_PADATA_S4U_X509_USER?

(Luke, I also think that code is buggy, shouldn't that be ptypes[0]?)

-- 
Will Fiveash
Sun Microsystems               Office x64079/512-401-1079
Austin, TX, 78727              (TZ=CST6CDT), USA
Internal Solaris Kerberos/GSS/SASL website: http://kerberos.sfbay.sun.com
http://opensolaris.org/os/project/kerberos/

More information about the krbdev mailing list