communications with KDC in calling krb5_get_init_creds_password()

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

communications with KDC in calling krb5_get_init_creds_password()

Bin Lu
Hi,

In calling this above lib function, I noticed that it talks to the KDC 3 times, in the for loop of function init_creds_get() in get_in_tkt.c file. The first 2 times are in udp and the last time is in tcp due to the 2nd krb5_init_creds_step() returns KRB5KRB_ERR_RESPONSE_TOO_BIG.

Questions:

1.      Why the API needs to talk to KDC twice in order to validate the password? As I understand all it needs is to check if it can decrypt the TGS session key returned in the 1st response.

2.      What data it receives from KDC would cause response TOO BIG in this API, the credential?


Thanks,
-binlu
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: communications with KDC in calling krb5_get_init_creds_password()

Greg Hudson
On 06/25/2014 03:05 PM, Bin Lu wrote:
> 1.      Why the API needs to talk to KDC twice in order to validate the password? As I understand all it needs is to check if it can decrypt the TGS session key returned in the 1st response.

If the KDC requires preauthentication for that principal, two
round-trips are usually needed.  The first reply indicates what preauth
mechanisms the KDC supports, and the second contains the actual ticket.

> 2.      What data it receives from KDC would cause response TOO BIG in this API, the credential?

Probably a large PAC
(http://msdn.microsoft.com/en-us/library/cc237917.aspx) in the
authorization data of the ticket.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev