On 06/13/2015 07:38 AM, Chris Hecker wrote: > Is it a problem to return the krb5_rd_req error code on failed authn to > clients? Is that revealing information it shouldn't and I should just > return success or failure? Or filter it down to a few safe ones, like > clock skew, etc?
The error code might reveal a little information, but not much. Do note that the code might be a system errno value, and those aren't portable across operating systems. The extended error string can reveal more information, particularly in 1.13; for instance, it can say "Request ticket server %s kvno %d found in keytab but not with enctype %s". I don't think we're currently including the pathname to the keytab, but it might be there in the future. In general, we wouldn't include information in a server-side error message which would immediately allow an attack (like "keytab key <hex> cannot decrypt ticket"), but we might include information which could conceivably assist in targeting an attack. It's really an administrative decision whether to keep information like that private in the server logs, or send it to the client in order to more easily resolve problems. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos