[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: preauth_always option?
On Wed, 28 May 2008 18:55:26 -0700
Love Hörnquist Åstrand <lha@kth.se> wrote:
> >
> > If not I'll make one and post it but I was hoping someone else had
> > done
> > this already
>
> The problem with sending preauth data is that you get back an error if
> you guess wrong salting.
>
> And its usually and error w/o the ETYPE_INFO(2) that hints want salt
> to use.
I do not think that should be too much of a problem.
If krb5_get_init_creds_opt_set_preauth_list() is not used (or the
corresponding krb5.conf option is not set), then there is no change in
behavior. So any patch would only improve the intelligence of the AS-REQ
wrt to PA.
If krb5_get_init_creds_opt_set_preauth_list() is used, and the error you
describe occurs, then we can set ptypes to NULL and simply start over. In
this worst case scenario we end up trying 3 times instead of 2.
Also, a static "salt hint" could be used to reduce the error rate of
multiple AS-REQs from the same process.
Altogether I think it could be quite smart.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/