[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

On Wed, 28 May 2008 18:55:26 -0700
Love Hörnquist Åstrand <lha@kth.se> wrote:

> >
> > If not I'll make one and post it but I was hoping someone else had  
> > done
> > this already
> The problem with sending preauth data is that you get back an error if  
> you guess wrong salting.
> And its usually and error w/o the ETYPE_INFO(2) that hints want salt  
> to use.

I do not think that should be too much of a problem.

If krb5_get_init_creds_opt_set_preauth_list() is not used (or the
corresponding krb5.conf option is not set), then there is no change in
behavior. So any patch would only improve the intelligence of the AS-REQ
wrt to PA.

If krb5_get_init_creds_opt_set_preauth_list() is used, and the error you
describe occurs, then we can set ptypes to NULL and simply start over. In
this worst case scenario we end up trying 3 times instead of 2.

Also, a static "salt hint" could be used to reduce the error rate of
multiple AS-REQs from the same process.

Altogether I think it could be quite smart.


Michael B Allen
PHP Active Directory SPNEGO SSO