kdc: audit preauth event only at end of PA loop

Don't audit preauth event if the preauth mech returns KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED; only set the event on (final) failure or success.
2022-01-05 09:37:55 +11:00
parent d90718c9b6
commit 68c4fd6572
1 changed files with 2 additions and 1 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2253,7 +2253,8 @@ _kdc_as_rep(astgs_request_t r)
 		    Key *ckey = NULL;
 		    krb5_boolean default_salt;

-		    if (!_kdc_audit_getkv((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT))
+		    if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED &&
+			!_kdc_audit_getkv((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT))
 			_kdc_audit_setkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT,
 						HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED);