Do not return PREAUTH_FAILED on unknown preauth
authorSam Hartman <hartmans@mit.edu>
Thu, 30 Apr 2009 00:38:48 +0000 (00:38 +0000)
committerSam Hartman <hartmans@mit.edu>
Thu, 30 Apr 2009 00:38:48 +0000 (00:38 +0000)
If the KDC receives unknown pre-authentication data then ignore it.
Do not get into a case where PREAUTH_FAILED is returned because of
unknown pre-authentication.  The main AS loop will cause
PREAUTH_REQUIRED to be returned if the preauth_required flag is set
and no valid preauth is found.

ticket: 6480
Target_Version: 1.7
Tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22292 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/kdc_preauth.c

index b153bbf25761fceffab1559964677a9259280214..63f76875607d5dbfadfd74d0f942beb646e240a5 100644 (file)
@@ -1204,17 +1204,11 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt,
     if (pa_ok)
        return 0;
 
-    /* pa system was not found, but principal doesn't require preauth */
-    if (!pa_found &&
-       !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
-       !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
+    /* pa system was not found; we may return PREAUTH_REQUIRED later,
+       but we did not actually fail to verify the pre-auth. */
+    if (!pa_found)
        return 0;
 
-    if (!pa_found) {
-       emsg = krb5_get_error_message(context, retval);
-       krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", emsg);
-       krb5_free_error_message(context, emsg);
-    }
 
     /* The following switch statement allows us
      * to return some preauth system errors back to the client.