[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: preauth_always option?

To: heimdal-discuss@sics.se
Subject: Re: preauth_always option?
From: Michael B Allen <miallen@ioplex.com>
Date: Sun, 8 Jun 2008 17:16:09 -0400
In-Reply-To: <20080528161545.3b01bbc5.miallen@ioplex.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <20080528161545.3b01bbc5.miallen@ioplex.com>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <miallen@ioplex.com>

On Wed, 28 May 2008 16:15:45 -0400
Michael B Allen <miallen@ioplex.com> wrote:

> If not I'll make one and post it but I was hoping someone else had done
> this already.

I'm not in my environment right so I can't supply a real patch yet but
here's the pseudocode that will be the basis for it:

  get_in_cred(padata)
  {
      error = 0;
      state = padata != NULL ? 1 : 2;
  
      do {    
          done = 1;
  
          switch (state) {
              case 1: /* PA supplied as param */
                  break;  
              case 2: /* Try optimistic PA */
                  padata = make_optimistic_padata();
                  if (pdata) {
                      break;  
                  }       
                  /* Cannot determine suitable optimistic
                   * padata, fall through to no PA
                   */      
                  state = 3;
              case 3: /* No PA */
                  break;  
              case 4: /* Extract from ETYPE_INFO */
                  padata = extract_etype_info_padata();
                  break;
          }
  
          sendto_kdc(req, rep);
  
          if (error) {
              if (state == 2) { 
                  if (error == PREAUTH_FAILED) {
                      /* Optimistic PA failed, try no PA to get ETYPE_INFO */
                      state = 3;
                      done = 0;
                  }       
              } else if (state == 3) {
                  if (error == PREAUTH_REQUIRED) {
                      if (is_etype_info_present) {
                          /* Try PA from ETYPE_INFO */
                          state = 4;
                          done = 0;
                      }       
                  }       
              }       
          }       
      } while (!done);
  
      return error;
  }

One could argue that the state machine isn't necessary but, for the long
term, I think it is warranted here.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

Follow-Ups:
- Re: preauth_always option?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Heimdal compilation options
Next by Date: Re: preauth_always option?
Prev by thread: Re: preauth_always option?
Next by thread: Re: preauth_always option?
Index(es):
- Date
- Thread