From: Sam Hartman Date: Tue, 21 Jan 2003 19:02:58 +0000 (+0000) Subject: Timestamp preauth should return clock skew errors X-Git-Tag: krb5-1.3-alpha1~147 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=bdae56ed80a3af96b4dfe1be05df9c4c8a2bf619;p=krb5.git Timestamp preauth should return clock skew errors When the user supplies the correct password, but has a timestamp that is out of bounds, the server should reply with a clock skew error rather than a preauth required error. ticket: new Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15130 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 498a1efa1..22be4d31b 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,7 @@ +2003-01-21 Sam Hartman + + * kdc_preauth.c (check_padata): Permit returning KRB5KRB_AP_ERR_SKEW + 2003-01-12 Ezra Peisach * kdc_util.h, replay.c, main.c: Pass global krb5_context to diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 7c0c3f24f..1087e76c0 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -358,7 +358,15 @@ check_padata (krb5_context context, krb5_db_entry *client, if (!pa_found) krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", error_message (retval)); - return KRB5KDC_ERR_PREAUTH_FAILED; +/* The following switch statement allows us + * to return some preauth system errors back to the client. + */ + switch(retval) { + case KRB5KRB_AP_ERR_SKEW: + return retval; + default: + return KRB5KDC_ERR_PREAUTH_FAILED; + } } /*