[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: preauth_always option?
--On Wednesday, May 28, 2008 06:55:26 PM -0700 Love Hörnquist Åstrand
>> If not I'll make one and post it but I was hoping someone else had
>> this already
> The problem with sending preauth data is that you get back an error if
> you guess wrong salting.
> And its usually and error w/o the ETYPE_INFO(2) that hints want salt to
In part, that's because KDC_ERR_PREAUTH_REQUIRED is defined to return
TYPED-DATA e-data, while KDC_ERR_PREAUTH_FAILED is not. So if you try
preauth and guess wrong, you don't get enough information back from the KDC
to get it right, whereas if you don't try preauth, the KDC tells you what
you need to know.
Note that while the preauth framework draft recommends interpreting the
e-data of KDC_ERR_PREAUTH_FAILED as TYPED-DATA, it is not actually defined
as such, and that draft is still a work in progress. It's probably the
case that doing so won't break anything, but I don't know whether anyone
has examined existing KDC implementations to see if any send e-data for
this error other than TYPED-DATA. In any case, it doesn't actually help
you if the KDC doesn't send any e-data with KDC_ERR_PREAUTH_FAILED.