[krbdev.mit.edu #7672] KDC can emit PREAUTH_REQUIRED error with useless hint list

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #7672] KDC can emit PREAUTH_REQUIRED error with useless hint list

Greg Hudson via RT-2
This scenario can also occur if the request enctypes list and the
client keys do not overlap, e.g.:

  make testrealm
  kadmin.local cpw -pw user -e aes256-cts user
  kadmin.local modprinc +preauth user
  in krb5.conf: [libdefaults] default_tkt_enctypes = aes128-cts
  kinit user

We tolerate the lack of a client key in case we can use PKINIT or OTP,
but when we can't offer one of those we offer the same meaningless
133/136 hint list as in the +hwauth case.
_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs