[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

--On Wednesday, May 28, 2008 06:55:26 PM -0700 Love Hörnquist Åstrand 
<lha@kth.se> wrote:

>> If not I'll make one and post it but I was hoping someone else had
>> done
>> this already
> The problem with sending preauth data is that you get back an error if
> you guess wrong salting.
> And its usually and error w/o the ETYPE_INFO(2) that hints want salt to
> use.

In part, that's because KDC_ERR_PREAUTH_REQUIRED is defined to return 
TYPED-DATA e-data, while KDC_ERR_PREAUTH_FAILED is not.  So if you try 
preauth and guess wrong, you don't get enough information back from the KDC 
to get it right, whereas if you don't try preauth, the KDC tells you what 
you need to know.

Note that while the preauth framework draft recommends interpreting the 
e-data of KDC_ERR_PREAUTH_FAILED as TYPED-DATA, it is not actually defined 
as such, and that draft is still a work in progress.  It's probably the 
case that doing so won't break anything, but I don't know whether anyone 
has examined existing KDC implementations to see if any send e-data for 
this error other than TYPED-DATA.  In any case, it doesn't actually help 
you if the KDC doesn't send any e-data with KDC_ERR_PREAUTH_FAILED.

-- Jeff