This still afflicts me, so I took another look. Looking at the code I
referenced in the patch above, I don't see how it can work *without*
preauth - in kerberos5.c:_kdc_as_rep(), reply_key is NULL unless it's
set at this line (ignoring PKINIT):
reply_key = &pa_key->key;
Maybe there's some code missing at a higher level that is supposed to
handle this condition rather than leaking it back to the client?
In any case, I don't remember why I couldn't enable preauth before
(maybe I still had some Kerberos 4 lying around?), but setting
require-preauth does fix the problem for me now. For the not-clued-in
amongst us, it might be nice to see some more documentation on
preauth, ie what downside could there be to using it? As it stands
about the only thing googling for "heimdal preauth" returns is the
existance of the require-preauth krb5.conf option.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
