"Last successful authentication" always set to "never"
Wachdorf, Daniel R
drwachd at sandia.gov
Wed Oct 15 15:47:19 EDT 2003
> -----Original Message-----
> From: Donn Cave [mailto:donn at u.washington.edu]
> Sent: Wednesday, October 15, 2003 11:14 AM
> To: kerberos at MIT.EDU
> Subject: Re: "Last successful authentication" always set to "never"
> In article <200310141817.NAA24447 at pvtest.ait.iastate.edu>,
> john at iastate.edu (John Hascall) wrote:
> > > > When you 'configure' kerberos during the build process,
> > > > you need to include the '--with-kdc-kdb-update' flag to
> > > > enable this. And then you need to put the 'requires_preauth'
> > > > attribute on your principals.
> [... re propagating success updates between KDCs ]
> > We are incrementally updating our slave (as well as our
> > W2K-AD and Novell-NDS) so this is not an issue for us.
> Yes, I remember that, as we are doing this too (minus the
> Novell part), but we only have to deal with passwords.
> [... re logs as an alternative source ]
> > Without preauth you can't tell a successful from
> > unsuccessful attempt.
> At all, right? What would `successful authentication' mean
> at the KDC in the absence of preauthentication? I am probably
> confused about something here.
Yes - at all. Without pre-auth, the KDC will send back an AS-REP encrypted
in the users password, the client code the tries to decrypt it with what it
received from the KDC. Without pre-auth there is now way for the KDC to
know whether that decrypt was successful or not.
If pre-auth is enabled, then the KDC will attempts to decrypt a timestamp
encrypted in the user's password. It this is successful, then the KDC knows
the user has the correct password and ships back the AS-REP encrypted in the
> Donn Cave, donn at u.washington.edu
> Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos