[19742] in Kerberos_V5_Development
Re: Pre-authentication fallback considerations
daemon@ATHENA.MIT.EDU (Robbie Harwood)
Thu Apr 5 11:52:51 2018
From: Robbie Harwood <rharwood@redhat.com>
To: Greg Hudson <ghudson@mit.edu>, krbdev@mit.edu
In-Reply-To: <x7dsh8bq2aq.fsf@equal-rites.mit.edu>
Date: Thu, 05 Apr 2018 11:47:29 -0400
Message-ID: <jlgtvspmz8u.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2487950489866146048=="
Errors-To: krbdev-bounces@mit.edu
--===============2487950489866146048==
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha512; protocol="application/pgp-signature"
--=-=-=
Content-Type: text/plain
Greg Hudson <ghudson@mit.edu> writes:
> I am considering implementing the following rules in the client
> preauth framework:
>
> 1. If a preauth mech reaches the point of generating an authenticated
> request, and it fails, do not fall back to another mechanism, and
> instead error out. (This point would be the first client message for
> most mechs, but for SPAKE, it would normally be the second client
> message as the first message is just a group offer. Mechs would
> indicate when they have reached this point via a new callback.)
>
> 2. If a preauth mech is tried optimistically and it fails, do not
> apply any special fallback considerations such as trying the same mech
> again, or falling back to another mechanism even if #1 applies.
With #2 included, this seems good to me.
Thanks,
--Robbie
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAlrGRREACgkQJTL5F2qV
pEKfoBAAqOqaV83nCkCaSF0HD0WkjPVw+H6nS4ygcI1aSI8NivIvrAMKznfyasCR
GYfj24Rk4YykdST/uCQb+682zKqzyBNw+F4Rhgzc8fLdF0FXFm1i7AFP0cpQrWak
dlisunLeF7lvfgcuqnIWdgRhYRrPqnB60cxFZKTJMTyVYjQ753Q2Rjb1RdlNtAe6
s1QyTPzlivcYe/KOr+pYcHFBx3Dn/fKRJGFb1RGL4QN85KTw4+bYYlTBLq52W4Gs
IbelNzweyz8kEblj3yGe9d4Zo7OhSf/vMgiuvcWhUokeTG5pfrq/laDrak6DMg8Q
Qnh2TTqqYWA67TuDu1Z7Jd63cScKzoEF5YRfDbVCsjtP1i5fZiGIbKcVHSDA7nn8
6bXDWKud6GKC5g5lwlCMeV2WWrjZ+y0CkweLkS8Nj789dTAWwJ/WPL5/2Kx5FQP7
59vsmNLpQw4LsglHuoes2fMnJ1aOCaivdYC9n8FN8Hkx8HHr47yVIblYtrYo+Ox1
C6GEnGWlYNb0l9wtj7QAVMF9yWBx0UERfXVXIoRRk8PkMbLVeMQrLPGfQOj01Kgd
Jl/CAoHXdAgaALJ42rwXP8aN+Pqga/UPiYjpNa9QbtOrlDe4WB17Xq42vuE3OGrq
y/AGSvP8c3fYZ/7XmQC0xYZCY6lfXK00Oi/2btmo+xynh5TddJk=
=Yady
-----END PGP SIGNATURE-----
--=-=-=--
--===============2487950489866146048==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============2487950489866146048==--