From 4d5d309d8a0198ca49fd0f9cde7d3f990fcf8e52 Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Mon, 7 Feb 2000 03:55:12 +0000 Subject: [PATCH] updated some comments (fcusack) git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12009 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/get_in_tkt.c | 6 ++++++ src/lib/krb5/krb/preauth2.c | 9 +++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 86978f360..84fdb5213 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -960,6 +960,12 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data, /* XXX if there's padata on output, something is wrong, but it's not obviously an error */ + /* XXX For 1.1.1 and prior KDC's, when SAM is used w/ USE_SAD_AS_KEY, + the AS_REP comes back encrypted in the user's longterm key + instead of in the SAD. If there was a SAM preauth, there + will be an as_key here which will be the SAD. If that fails, + use the gak_fct to get the password, and try again. */ + /* XXX because etypes are handled poorly (particularly wrt SAM, where the etype is fixed by the kdc), we may want to try decrypt_as_reply twice. If there's an as_key available, try diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index 5771170c3..94a22d396 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -105,11 +105,6 @@ krb5_error_code pa_enc_timestamp(krb5_context context, krb5_enc_data enc_data; krb5_pa_data *pa; - /* - * We need to use the password as part or all of the key. - * If as_key contains info, it should be the users pass phrase. - * If not, get the password before issuing the challenge. - */ if (as_key->length == 0) { if (ret = ((*gak_fct)(context, request->client, request->ktype[0], prompter, prompter_data, @@ -316,7 +311,9 @@ krb5_error_code pa_sam(krb5_context context, salt = NULL; #endif - /* XXX the server uses this fixed enctype, so we will, too. */ + /* XXX As of the passwords-04 draft, no enctype is specified, + the server uses ENCTYPE_DES_CBC_MD5. In the future the + server should send a PA-SAM-ETYPE-INFO containing the enctype. */ ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, &response_data, salt, as_key); -- 2.26.2