Bug 1247608 - [RFE] Add support for multi-hop preauth mechs via |KDC_ERR_MORE_PREAUTH_DATA_REQUIRED| for RFC 6113 ("A Generalized Framework for Kerberos Pre-Authentication")
[RFE] Add support for multi-hop preauth mechs via |KDC_ERR_MORE_PREAUTH_DATA_...
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5 (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Robbie Harwood
Patrik Kis
: FutureFeature
Depends On: 1247606
Blocks: 1203889
  Show dependency treegraph
Reported: 2015-07-28 08:26 EDT by Roland Mainz
Modified: 2015-11-19 00:13 EST (History)
8 users (show)

See Also:
Fixed In Version: krb5-1.13.2-4.el7
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1247606
Last Closed: 2015-11-19 00:13:53 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2154 normal SHIPPED_LIVE Moderate: krb5 security, bug fix, and enhancement update 2015-11-19 03:16:22 EST

  None (edit)
Description Roland Mainz 2015-07-28 08:26:33 EDT
+++ This bug was initially created as a clone of Bug #1247606 +++

[Note this is a dummy bug, the issue has already been fixed in 1.13-6, we're just filing it so we can clone the bug for RHEL7.2]

Description of problem:
RFE: Add support for multi-hop preauth mechs.

In the KDC, allow kdcpreauth modules to return

In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth
modules can use the modreq parameter to distinguish between the first
and subsequent KDC messages. We assume that the error padata will
include an element of the preauth mech's type, or at least of a type
recognized by the clpreauth module.

Also reset the list of previously attempted preauth types for both
kinds of errors. That list is really only appropriate for retrying
after a failed preauth attempt, which we don't currently do. Add an
intermediate variable for the reply code to avoid a long conditional

--- Additional comment from Roland Mainz on 2015-07-28 08:24:53 EDT ---

Fixed in krb5-1.13-6.fc22 and rawhide.
Comment 1 Nathaniel McCallum 2015-07-28 15:32:26 EDT
QA should be sanity only.
Comment 2 Nathaniel McCallum 2015-07-28 16:34:35 EDT
FYI, this patch is low risk and addresses standards compliance. In particular, client support for this error code will be used in a feature we are developing currently.
Comment 3 Patrik Kis 2015-07-29 04:27:26 EDT
(In reply to Nathaniel McCallum from comment #2)
> FYI, this patch is low risk and addresses standards compliance. In
> particular, client support for this error code will be used in a feature we
> are developing currently.

Thanks for the extra explanation.
Comment 4 Roland Mainz 2015-07-29 11:02:14 EDT
Fix checked in (krb5-1.13.2-4.el7) ...

... marking bug as MODIFIED.
Comment 10 errata-xmlrpc 2015-11-19 00:13:53 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.