[19742] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Pre-authentication fallback considerations

daemon@ATHENA.MIT.EDU (Robbie Harwood)
Thu Apr 5 11:52:51 2018

From: Robbie Harwood <rharwood@redhat.com>
To: Greg Hudson <ghudson@mit.edu>, krbdev@mit.edu
In-Reply-To: <x7dsh8bq2aq.fsf@equal-rites.mit.edu>
Date: Thu, 05 Apr 2018 11:47:29 -0400
Message-ID: <jlgtvspmz8u.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2487950489866146048=="
Errors-To: krbdev-bounces@mit.edu

--===============2487950489866146048==
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"

--=-=-=
Content-Type: text/plain

Greg Hudson <ghudson@mit.edu> writes:

> I am considering implementing the following rules in the client
> preauth framework:
>
> 1. If a preauth mech reaches the point of generating an authenticated
> request, and it fails, do not fall back to another mechanism, and
> instead error out.  (This point would be the first client message for
> most mechs, but for SPAKE, it would normally be the second client
> message as the first message is just a group offer.  Mechs would
> indicate when they have reached this point via a new callback.)
>
> 2. If a preauth mech is tried optimistically and it fails, do not
> apply any special fallback considerations such as trying the same mech
> again, or falling back to another mechanism even if #1 applies.

With #2 included, this seems good to me.

Thanks,
--Robbie

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAlrGRREACgkQJTL5F2qV
pEKfoBAAqOqaV83nCkCaSF0HD0WkjPVw+H6nS4ygcI1aSI8NivIvrAMKznfyasCR
GYfj24Rk4YykdST/uCQb+682zKqzyBNw+F4Rhgzc8fLdF0FXFm1i7AFP0cpQrWak
dlisunLeF7lvfgcuqnIWdgRhYRrPqnB60cxFZKTJMTyVYjQ753Q2Rjb1RdlNtAe6
s1QyTPzlivcYe/KOr+pYcHFBx3Dn/fKRJGFb1RGL4QN85KTw4+bYYlTBLq52W4Gs
IbelNzweyz8kEblj3yGe9d4Zo7OhSf/vMgiuvcWhUokeTG5pfrq/laDrak6DMg8Q
Qnh2TTqqYWA67TuDu1Z7Jd63cScKzoEF5YRfDbVCsjtP1i5fZiGIbKcVHSDA7nn8
6bXDWKud6GKC5g5lwlCMeV2WWrjZ+y0CkweLkS8Nj789dTAWwJ/WPL5/2Kx5FQP7
59vsmNLpQw4LsglHuoes2fMnJ1aOCaivdYC9n8FN8Hkx8HHr47yVIblYtrYo+Ox1
C6GEnGWlYNb0l9wtj7QAVMF9yWBx0UERfXVXIoRRk8PkMbLVeMQrLPGfQOj01Kgd
Jl/CAoHXdAgaALJ42rwXP8aN+Pqga/UPiYjpNa9QbtOrlDe4WB17Xq42vuE3OGrq
y/AGSvP8c3fYZ/7XmQC0xYZCY6lfXK00Oi/2btmo+xynh5TddJk=
=Yady
-----END PGP SIGNATURE-----
--=-=-=--

--===============2487950489866146048==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

--===============2487950489866146048==--

home help back first fref pref prev next nref lref last post