From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 3 Jan 2018 16:59:14 +0000 (-0500)
Subject: Include etype-info in for hardware preauth hints
X-Git-Tag: krb5-1.17-beta1~199
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba92da05accc524b8037453b63ced1a6c65fd2a1;p=thirdparty%2Fkrb5.git

Include etype-info in for hardware preauth hints

If a principal has the requires_hwauth bit set, include PA-ETYPE-INFO
or PA-ETYPE-INFO2 padata in the PREAUTH_REQUIRED error, as preauth
mechs involving hardware tokens may also use the principal's Kerberos
password.

ticket: 8629
---

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 81d0b8cffd..739c5e7765 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -144,7 +144,7 @@ static preauth_system static_preauth_systems[] = {
     {
         "etype-info",
         KRB5_PADATA_ETYPE_INFO,
-        0,
+        PA_HARDWARE,
         NULL,
         NULL,
         NULL,
@@ -155,7 +155,7 @@ static preauth_system static_preauth_systems[] = {
     {
         "etype-info2",
         KRB5_PADATA_ETYPE_INFO2,
-        0,
+        PA_HARDWARE,
         NULL,
         NULL,
         NULL,