Sumit Bose <sbose(a)redhat.com> wrote
Wed, 18 May 2011 14:09:34 +0200:
| > I recently pushed[0] some code for putting the nonce in the PA-FX-COOKIE
| > (to branch otp-wip of
git://git.nordu.net/krb-otp.git). It took some
| > changes to generic FAST code though. Please let me know if you think
| > this isn't a good way of solving it. For example, I can't really see
| > how this is supposed to work with authentications sets.
|
| I wonder if similar would be possilbe by adding KRB5_PADATA_FX_COOKIE to
| server_supported_pa_types. If this really works server_verify_preauth()
| should be called twice, once with the cookie and the other time with the
| OTP REQ data. Since we don't know in which order the data item will come
| we have to safe them and can check the nonce only in the second run.
That's a clever idea. The problem with this is in the edata_proc
(server_get_edata() in our case) where we have to put the nonce in the
cookie. Without changes to get_preauth_hint_list() I can't really see
how we would find the cookie padata entry.
And we do know the order. From RFC 6113 2.4:
From the standpoint of evaluating the pre-authentication, the KDC
first starts by initializing the pre-authentication state. If a PA-
FX-COOKIE pre-authentication data item is present, it is processed
first; see Section 5.2 for a definition.