[prev in list] [next in list] [prev in thread] [next in thread] 

List:       krb5-bugs
Subject:    [krbdev.mit.edu #8124] git commit
From:       "Greg Hudson via RT" <rt-comment () krbdev ! mit ! edu>
Date:       2015-02-19 18:41:02
Message-ID: rt-8124-42364.19.318987183108 () krbdev ! mit ! edu
[Download RAW message or body]


Use preauth timestamp in PKINIT clpreauth module

Use the timestamp from the KDC's preauth-required error when
generating a PKAuthenticator in pa_pkinit_gen_req(), to allow PKINIT
authentication to succeed despite client clock skew if kdc_timesync is
set.

Because this timestamp is unauthenticated (unless FAST is used), an
attacker could induce a legitimate client to generate a
PKAuthenticator for a future timestamp.  But replaying this request in
the future would only cause the KDC to issue a ticket which the
attacker cannot decrypt.

https://github.com/krb5/krb5/commit/fcc1076541a3bd9a5fa4db0be6f74888b3f5f193
Author: Greg Hudson <ghudson@mit.edu>
Commit: fcc1076541a3bd9a5fa4db0be6f74888b3f5f193
Branch: master
 src/plugins/preauth/pkinit/pkinit_clnt.c |   12 +++++++-----
 1 files changed, 7 insertions(+), 5 deletions(-)

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic