Re: preauth_always option?

[Ken Raeburn <raeburn@MIT.EDU>]

On Jun 3, 2008, at 19:45, Jeffrey Hutzelman wrote:
> In part, that's because KDC_ERR_PREAUTH_REQUIRED is defined to  
> return TYPED-DATA e-data, while KDC_ERR_PREAUTH_FAILED is not.  So  
> if you try preauth and guess wrong, you don't get enough information  
> back from the KDC to get it right, whereas if you don't try preauth,  
> the KDC tells you what you need to know.

Maybe we should spec out some data the client can send to say, "I'm  
guessing that XXXX is the salt/preauth/whatever non-secret parameters,  
let me know if I'm wrong", and if it doesn't match what the KDC would  
send, all or some of the preauth data from the client is discarded and  
the request is treated like a normal no-preauth request, resulting in  
PREAUTH-REQUIRED and typed-data...

I'm not sure if there'd be any security impact of having the KDC  
return PREAUTH-REQUIRED in that case; it seems pretty close logically  
to having the client follow up a PREAUTH-FAILED error with a separate  
no-preauth AS-REQ and get the PREAUTH-REQUIRED that way.  It would  
still have to be possible for the request to fail, e.g., if the  
assumed salt string were correct but the resulting encryption key were  
wrong.

Ken