Preauth and ticket forwarding
Rachel Elizabeth Dillon
red at MIT.EDU
Tue Dec 7 15:07:15 EST 2004
I am one of many administrators for a network of 50 machines running
MIT Kerberos on Solaris. Recently, another administrator installed a
Cisco VPN Magic Box that supposedly uses Kerberos authentication, but
won't work unless preauthentication is turned off. With
preauthentication turned off for any given principal, ticket forwarding
no longer works for that principal. I guess my question is threefold:
1. What does preauth _actually_ do? From some reading, I believed it to
be based on clock skew, and fixed the clock skew between the VPN box
and the Kerberos server, but preauth still fails. All the KDC logs
say is that preauth is required just as they would for a successful
kinit, but with no successful kinit afterward. Of course, all the
Cisco box gives me is "Authentication Failure." Unfortunately, I do
not have a choice as to whether or not to use this product.
2. Assuming I have no choice but to turn off preauth for the Cisco box,
is there any way to make SSH ticket forwarding work with preauth
turned off? It works just fine as my system stands with preauth turned
on, but when preauth goes off, ticket forwarding stops working. This
makes sense as a security feature and I realize I am shooting myself
in the foot, but I am being ordered to shoot myself in the foot, and
I am trying to minimize immediate bleeding. :)
3. Does anyone have experience making MIT Kerberos work with a Cisco
VPN 3000? I've looked through the Cisco documentation and it doesn't
mention preauth or really much of anything except how to format your
@ signs.
Any suggestions would be greatly appreciated; thank you.
-r.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20041207/0530c997/attachment.bin
More information about the Kerberos
mailing list