RFR 8227381: GSS login fails with PREAUTH_FAILED

Weijun Wang weijun.wang at oracle.com
Tue Jul 9 13:03:16 UTC 2019


Please take a review at

   http://cr.openjdk.java.net/~weijun/8227381/webrev.00/

When the client is talking to an old KDC that does not support referrals and only knows DES, it fails like this:

c: PA_REQ_ENC_PA_REP
s: KDC_ERR_PREAUTH_FAILED
c: PA_REQ_ENC_PA_REP + PA_ENC_TIMESTAMP
s: KDC_ERR_PREAUTH_FAILED
c: <fallback to no referrals> PA_ENC_TIMESTAMP using aes256-cts
s: KDC_ERR_PREAUTH_FAILED
c: <fail because too many KDC_ERR_PREAUTH_FAILED>

With this fix, whenever there is a referrals state change (fallback to no referrals, change realm), the preauth state (pakey and preAuthFailedOnce) is reset, so it will be

c: PA_REQ_ENC_PA_REP
s: KDC_ERR_PREAUTH_FAILED
c: PA_REQ_ENC_PA_REP + PA_ENC_TIMESTAMP
s: KDC_ERR_PREAUTH_FAILED
c: <fallback to no referrals with no PAData>
s: KDC_ERR_PREAUTH_REQUIRED suggesting des-cbc-md5
c: PA_ENC_TIMESTAMP using des-cbc-md5
s: AS-REP
c: <Hooray!>

Thanks,
Max



More information about the security-dev mailing list