kdc_preauth.c (check_padata): If preauth fails because the preauth
authorTheodore Tso <tytso@mit.edu>
Wed, 27 Jan 1999 05:22:07 +0000 (05:22 +0000)
committerTheodore Tso <tytso@mit.edu>
Wed, 27 Jan 1999 05:22:07 +0000 (05:22 +0000)
data from the client was of an unknown type, and the principal does
not require preauth, then the preauth should be disregarded.
[krb5-kdc/652]

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11130 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/ChangeLog
src/kdc/kdc_preauth.c

index 861585654f98677ef9cf4018fa9aeb79a96cdc7e..d593227df0711a972956684fb4564ff016d99a0f 100644 (file)
@@ -1,3 +1,10 @@
+1998-12-17  Theodore Ts'o  <tytso@rsts-11.mit.edu>
+
+       * kdc_preauth.c (check_padata): If preauth fails because the
+               preauth data from the client was of an unknown type, and
+               the principal does not require preauth, then the preauth
+               should be disregarded.  [krb5-kdc/652]
+
 Mon Jan  4 23:50:45 1999  Tom Yu  <tlyu@mit.edu>
 
        * configure.in (withval): Conditinalize ATHENA_DES3_KLUDGE on
index 0324694a2e36f6721871247d3969f69c2045491b..d1b1b363762a00ccb5f9af0764005281ac6ba8eb 100644 (file)
@@ -301,6 +301,13 @@ check_padata (context, client, request, enc_tkt_reply)
     }
     if (pa_ok)
        return 0;
+
+    /* pa system was not found, but principal doesn't require preauth */
+    if (!pa_found &&
+        !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) &&
+        !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH))
+       return 0;
+
     if (!pa_found)
        com_err("krb5kdc", retval, "no valid preauth type found");
     return KRB5KDC_ERR_PREAUTH_FAILED;