diff options
| author | Sam Hartman <hartmans@mit.edu> | 2003-01-21 19:02:58 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2003-01-21 19:02:58 +0000 |
| commit | bdae56ed80a3af96b4dfe1be05df9c4c8a2bf619 (patch) | |
| tree | e8d6d8a49b170732b1131ff1a25cb2ebe115cd4d | |
| parent | 245fc0554350ee6d155b5dd344741e6fa790f898 (diff) | |
| download | krb5-bdae56ed80a3af96b4dfe1be05df9c4c8a2bf619.tar.gz krb5-bdae56ed80a3af96b4dfe1be05df9c4c8a2bf619.tar.xz krb5-bdae56ed80a3af96b4dfe1be05df9c4c8a2bf619.zip | |
Timestamp preauth should return clock skew errors
When the user supplies the correct password, but has a timestamp that
is out of bounds, the server should reply with a clock skew error
rather than a preauth required error.
ticket: new
Tags: enhancement
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15130 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/kdc/ChangeLog | 4 | ||||
| -rw-r--r-- | src/kdc/kdc_preauth.c | 10 |
2 files changed, 13 insertions, 1 deletions
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 498a1efa19..22be4d31b5 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,7 @@ +2003-01-21 Sam Hartman <hartmans@mit.edu> + + * kdc_preauth.c (check_padata): Permit returning KRB5KRB_AP_ERR_SKEW + 2003-01-12 Ezra Peisach <epeisach@bu.edu> * kdc_util.h, replay.c, main.c: Pass global krb5_context to diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 7c0c3f24f0..1087e76c0a 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -358,7 +358,15 @@ check_padata (krb5_context context, krb5_db_entry *client, if (!pa_found) krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", error_message (retval)); - return KRB5KDC_ERR_PREAUTH_FAILED; +/* The following switch statement allows us + * to return some preauth system errors back to the client. + */ + switch(retval) { + case KRB5KRB_AP_ERR_SKEW: + return retval; + default: + return KRB5KDC_ERR_PREAUTH_FAILED; + } } /* |