Timestamp preauth should return clock skew errors

When the user supplies the correct password, but has a timestamp that is out of bounds, the server should reply with a clock skew error rather than a preauth required error. ticket: new Tags: enhancement git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15130 dc483132-0cff-0310-8789-dd5450dbe970
author: Sam Hartman <hartmans@mit.edu> 2003-01-21 19:02:58 +0000
committer: Sam Hartman <hartmans@mit.edu> 2003-01-21 19:02:58 +0000
commit: bdae56ed80a3af96b4dfe1be05df9c4c8a2bf619 (patch)
tree: e8d6d8a49b170732b1131ff1a25cb2ebe115cd4d /src/kdc/kdc_preauth.c
parent: 245fc0554350ee6d155b5dd344741e6fa790f898 (diff)
download: krb5-bdae56ed80a3af96b4dfe1be05df9c4c8a2bf619.tar.gz
krb5-bdae56ed80a3af96b4dfe1be05df9c4c8a2bf619.tar.xz
krb5-bdae56ed80a3af96b4dfe1be05df9c4c8a2bf619.zip
1 files changed, 9 insertions, 1 deletions
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 7c0c3f24f0..1087e76c0a 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -358,7 +358,15 @@ check_padata (krb5_context context, krb5_db_entry *client,
     if (!pa_found)
 	krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s",
 			  error_message (retval));
-    return KRB5KDC_ERR_PREAUTH_FAILED;
+/* The following switch statement allows us
+ * to return some preauth system errors back to the client.
+ */
+        switch(retval) {
+    case KRB5KRB_AP_ERR_SKEW:
+	return retval;
+    default:
+	return KRB5KDC_ERR_PREAUTH_FAILED;
+    }
 }
 
 /*
author	Sam Hartman <hartmans@mit.edu>	2003-01-21 19:02:58 +0000
committer	Sam Hartman <hartmans@mit.edu>	2003-01-21 19:02:58 +0000
commit	bdae56ed80a3af96b4dfe1be05df9c4c8a2bf619 (patch)
tree	e8d6d8a49b170732b1131ff1a25cb2ebe115cd4d /src/kdc/kdc_preauth.c
parent	245fc0554350ee6d155b5dd344741e6fa790f898 (diff)
download	krb5-bdae56ed80a3af96b4dfe1be05df9c4c8a2bf619.tar.gz krb5-bdae56ed80a3af96b4dfe1be05df9c4c8a2bf619.tar.xz krb5-bdae56ed80a3af96b4dfe1be05df9c4c8a2bf619.zip