Timestamp preauth should return clock skew errors
authorSam Hartman <hartmans@mit.edu>
Tue, 21 Jan 2003 19:02:58 +0000 (19:02 +0000)
committerSam Hartman <hartmans@mit.edu>
Tue, 21 Jan 2003 19:02:58 +0000 (19:02 +0000)
When the user supplies the correct password, but has a timestamp that
is out of bounds, the server should reply with a clock skew error
rather than a preauth required error.

ticket: new
Tags: enhancement

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15130 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/ChangeLog
src/kdc/kdc_preauth.c

index 498a1efa19e0209b1af864262996f72bb9920609..22be4d31b57a501025b79baab7b110693f254a60 100644 (file)
@@ -1,3 +1,7 @@
+2003-01-21  Sam Hartman  <hartmans@mit.edu>
+
+       * kdc_preauth.c (check_padata): Permit returning KRB5KRB_AP_ERR_SKEW
+
 2003-01-12  Ezra Peisach  <epeisach@bu.edu>
 
        * kdc_util.h, replay.c, main.c: Pass global krb5_context to
index 7c0c3f24f05496c1742f4f8c66fd0ab3516a4199..1087e76c0a1f7013744d2bd5bed6c4423466a497 100644 (file)
@@ -358,7 +358,15 @@ check_padata (krb5_context context, krb5_db_entry *client,
     if (!pa_found)
        krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s",
                          error_message (retval));
-    return KRB5KDC_ERR_PREAUTH_FAILED;
+/* The following switch statement allows us
+ * to return some preauth system errors back to the client.
+ */
+        switch(retval) {
+    case KRB5KRB_AP_ERR_SKEW:
+       return retval;
+    default:
+       return KRB5KDC_ERR_PREAUTH_FAILED;
+    }
 }
 
 /*