[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: preauth_always option?
On Jun 3, 2008, at 19:45, Jeffrey Hutzelman wrote:
> In part, that's because KDC_ERR_PREAUTH_REQUIRED is defined to
> return TYPED-DATA e-data, while KDC_ERR_PREAUTH_FAILED is not. So
> if you try preauth and guess wrong, you don't get enough information
> back from the KDC to get it right, whereas if you don't try preauth,
> the KDC tells you what you need to know.
Maybe we should spec out some data the client can send to say, "I'm
guessing that XXXX is the salt/preauth/whatever non-secret parameters,
let me know if I'm wrong", and if it doesn't match what the KDC would
send, all or some of the preauth data from the client is discarded and
the request is treated like a normal no-preauth request, resulting in
PREAUTH-REQUIRED and typed-data...
I'm not sure if there'd be any security impact of having the KDC
return PREAUTH-REQUIRED in that case; it seems pretty close logically
to having the client follow up a PREAUTH-FAILED error with a separate
no-preauth AS-REQ and get the PREAUTH-REQUIRED that way. It would
still have to be possible for the request to fail, e.g., if the
assumed salt string were correct but the resulting encryption key were