When the user supplies the correct password, but has a timestamp that
is out of bounds, the server should reply with a clock skew error
rather than a preauth required error.
ticket: new
Tags: enhancement
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15130
dc483132-0cff-0310-8789-
dd5450dbe970
+2003-01-21 Sam Hartman <hartmans@mit.edu>
+
+ * kdc_preauth.c (check_padata): Permit returning KRB5KRB_AP_ERR_SKEW
+
2003-01-12 Ezra Peisach <epeisach@bu.edu>
* kdc_util.h, replay.c, main.c: Pass global krb5_context to
if (!pa_found)
krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s",
error_message (retval));
- return KRB5KDC_ERR_PREAUTH_FAILED;
+/* The following switch statement allows us
+ * to return some preauth system errors back to the client.
+ */
+ switch(retval) {
+ case KRB5KRB_AP_ERR_SKEW:
+ return retval;
+ default:
+ return KRB5KDC_ERR_PREAUTH_FAILED;
+ }
}
/*