Always treat anonymous as preauth required
authorSam Hartman <hartmans@mit.edu>
Thu, 7 Jan 2010 18:32:15 +0000 (18:32 +0000)
committerSam Hartman <hartmans@mit.edu>
Thu, 7 Jan 2010 18:32:15 +0000 (18:32 +0000)
Always treat the WELLKNOWN/ANONYMOUS principal as requiring pre-authentication.  The anonymous draft depends on a pre-auth exchange to invoke pkinit.

ticket: 6623
target_version: 1.8
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23603 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/do_as_req.c

index 55493ba77964f856daafc6f952f3f26d1c8dd221..83d3101b641b3d42c4dffd9da24783b6bed7daef 100644 (file)
@@ -407,6 +407,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
             goto errout;
         }
         enc_tkt_reply.client = request->client;
+        setflag(client.attributes, KRB5_KDB_REQUIRES_PRE_AUTH);
     }
     /*
      * Check the preauthentication if it is there.