[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

To: Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: preauth_always option?
From: Michael B Allen <miallen@ioplex.com>
Date: Wed, 28 May 2008 22:32:29 -0400
Cc: heimdal-discuss@sics.se
In-Reply-To: <92911A79-07C9-448A-BBF7-9306024E0EAF@kth.se>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <20080528161545.3b01bbc5.miallen@ioplex.com><92911A79-07C9-448A-BBF7-9306024E0EAF@kth.se>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>

On Wed, 28 May 2008 18:55:26 -0700
Love Hörnquist Åstrand <lha@kth.se> wrote:

> >
> > If not I'll make one and post it but I was hoping someone else had  
> > done
> > this already
> 
> The problem with sending preauth data is that you get back an error if  
> you guess wrong salting.
> 
> And its usually and error w/o the ETYPE_INFO(2) that hints want salt  
> to use.

I do not think that should be too much of a problem.

If krb5_get_init_creds_opt_set_preauth_list() is not used (or the
corresponding krb5.conf option is not set), then there is no change in
behavior. So any patch would only improve the intelligence of the AS-REQ
wrt to PA.

If krb5_get_init_creds_opt_set_preauth_list() is used, and the error you
describe occurs, then we can set ptypes to NULL and simply start over. In
this worst case scenario we end up trying 3 times instead of 2.

Also, a static "salt hint" could be used to reduce the error rate of
multiple AS-REQs from the same process.

Altogether I think it could be quite smart.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Follow-Ups:
- Re: preauth_always option?
  - From: "Douglas E. Engert" <deengert@anl.gov>

References:
- preauth_always option?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: preauth_always option?
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: ftp 2GB file size limit bug (Was back in 2002: Bug in FTP/FTPD[PATCH supplied])
Next by Date: Re: Heimdal 1.1 telnetd broken under Solaris 10
Prev by thread: Re: preauth_always option?
Next by thread: Re: preauth_always option?
Index(es):
- Date
- Thread