RFR 8227381: GSS login fails with PREAUTH_FAILED

Xuelei Fan xuelei.fan at oracle.com
Tue Jul 9 13:11:29 UTC 2019


Looks fine to me.

Xuelei

On 7/9/2019 6:03 AM, Weijun Wang wrote:
> Please take a review at
> 
>     http://cr.openjdk.java.net/~weijun/8227381/webrev.00/
> 
> When the client is talking to an old KDC that does not support referrals and only knows DES, it fails like this:
> 
> c: PA_REQ_ENC_PA_REP
> s: KDC_ERR_PREAUTH_FAILED
> c: PA_REQ_ENC_PA_REP + PA_ENC_TIMESTAMP
> s: KDC_ERR_PREAUTH_FAILED
> c: <fallback to no referrals> PA_ENC_TIMESTAMP using aes256-cts
> s: KDC_ERR_PREAUTH_FAILED
> c: <fail because too many KDC_ERR_PREAUTH_FAILED>
> 
> With this fix, whenever there is a referrals state change (fallback to no referrals, change realm), the preauth state (pakey and preAuthFailedOnce) is reset, so it will be
> 
> c: PA_REQ_ENC_PA_REP
> s: KDC_ERR_PREAUTH_FAILED
> c: PA_REQ_ENC_PA_REP + PA_ENC_TIMESTAMP
> s: KDC_ERR_PREAUTH_FAILED
> c: <fallback to no referrals with no PAData>
> s: KDC_ERR_PREAUTH_REQUIRED suggesting des-cbc-md5
> c: PA_ENC_TIMESTAMP using des-cbc-md5
> s: AS-REP
> c: <Hooray!>
> 
> Thanks,
> Max
> 


More information about the security-dev mailing list