From 27901f6cce3588c9ac1aa6cadb6ee6147ca57a24 Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Thu, 30 Apr 2009 00:38:48 +0000 Subject: [PATCH] Do not return PREAUTH_FAILED on unknown preauth If the KDC receives unknown pre-authentication data then ignore it. Do not get into a case where PREAUTH_FAILED is returned because of unknown pre-authentication. The main AS loop will cause PREAUTH_REQUIRED to be returned if the preauth_required flag is set and no valid preauth is found. ticket: 6480 Target_Version: 1.7 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22292 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/kdc_preauth.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index b153bbf25..63f768756 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -1204,17 +1204,11 @@ check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, if (pa_ok) return 0; - /* pa system was not found, but principal doesn't require preauth */ - if (!pa_found && - !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) && - !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH)) + /* pa system was not found; we may return PREAUTH_REQUIRED later, + but we did not actually fail to verify the pre-auth. */ + if (!pa_found) return 0; - if (!pa_found) { - emsg = krb5_get_error_message(context, retval); - krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", emsg); - krb5_free_error_message(context, emsg); - } /* The following switch statement allows us * to return some preauth system errors back to the client. -- 2.26.2