From 5f39a4438eafd693a3eb8366bbc3901efe62e538 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 17 Apr 2012 04:07:34 +0000
Subject: Allow preauth mechs to work with clock skew

Add a clpreauth callback which gets the time of day using an offset
determined by the preauth-required error, and use it in encrypted
timestamp and encrypted challenge.  This timestamp is not necessarily
authenticated, but the security consequences for those preauth mechs
are minor (and can be mitigated by turning off kdc_timesync on
clients).

Based on a patch from Stef Walter.

ticket: 7114

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25808 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/tests/t_skew.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'src/tests')

diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py
index f00c2f920..f831035ac 100644
--- a/src/tests/t_skew.py
+++ b/src/tests/t_skew.py
@@ -13,9 +13,13 @@ realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
 realm.run_as_client([kvno, realm.host_princ])
 realm.run_as_client([kdestroy])
 
-# kinit (with preauth) should fail.
+# kinit (with preauth) should work, with or without FAST.
 realm.run_kadminl('modprinc +requires_preauth user')
-realm.kinit(realm.user_princ, password('user'), expected_code=1)
+realm.kinit(realm.user_princ, password('user'))
+realm.run_as_client([kvno, realm.host_princ])
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
+realm.run_as_client([kvno, realm.host_princ])
+realm.run_as_client([kdestroy])
 
 realm.stop()
 
@@ -31,8 +35,10 @@ realm.run_as_client([kvno, realm.host_princ], expected_code=1)
 realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache],
             expected_code=1)
 
-# kinit (with preauth) should fail.
+# kinit (with preauth) should fail, with or without FAST.
 realm.run_kadminl('modprinc +requires_preauth user')
 realm.kinit(realm.user_princ, password('user'), expected_code=1)
+realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache],
+            expected_code=1)
 
 success('Clock skew tests')
-- 
cgit