RFR 8227381: GSS login fails with PREAUTH_FAILED
Xuelei Fan
xuelei.fan at oracle.com
Tue Jul 9 13:11:29 UTC 2019
Looks fine to me.
Xuelei
On 7/9/2019 6:03 AM, Weijun Wang wrote:
> Please take a review at
>
> http://cr.openjdk.java.net/~weijun/8227381/webrev.00/
>
> When the client is talking to an old KDC that does not support referrals and only knows DES, it fails like this:
>
> c: PA_REQ_ENC_PA_REP
> s: KDC_ERR_PREAUTH_FAILED
> c: PA_REQ_ENC_PA_REP + PA_ENC_TIMESTAMP
> s: KDC_ERR_PREAUTH_FAILED
> c: <fallback to no referrals> PA_ENC_TIMESTAMP using aes256-cts
> s: KDC_ERR_PREAUTH_FAILED
> c: <fail because too many KDC_ERR_PREAUTH_FAILED>
>
> With this fix, whenever there is a referrals state change (fallback to no referrals, change realm), the preauth state (pakey and preAuthFailedOnce) is reset, so it will be
>
> c: PA_REQ_ENC_PA_REP
> s: KDC_ERR_PREAUTH_FAILED
> c: PA_REQ_ENC_PA_REP + PA_ENC_TIMESTAMP
> s: KDC_ERR_PREAUTH_FAILED
> c: <fallback to no referrals with no PAData>
> s: KDC_ERR_PREAUTH_REQUIRED suggesting des-cbc-md5
> c: PA_ENC_TIMESTAMP using des-cbc-md5
> s: AS-REP
> c: <Hooray!>
>
> Thanks,
> Max
>
More information about the security-dev
mailing list