Preauth and ticket forwarding

Donn Cave donn at u.washington.edu
Tue Dec 7 15:53:25 EST 2004 

In article <20041207200715.GU290 at yiff.mit.edu>,
 red at MIT.EDU (Rachel Elizabeth Dillon) wrote:
> I am one of many administrators for a network of 50 machines running
> MIT Kerberos on Solaris. Recently, another administrator installed a 
> Cisco VPN Magic Box that supposedly uses Kerberos authentication, but
> won't work unless preauthentication is turned off. With 
> preauthentication turned off for any given principal, ticket forwarding
> no longer works for that principal. I guess my question is threefold:
> 
> 1. What does preauth  actually  do? From some reading, I believed it to
>    be based on clock skew, and fixed the clock skew between the VPN box
>    and the Kerberos server, but preauth still fails. All the KDC logs
>    say is that preauth is required just as they would for a successful
>    kinit, but with no successful kinit afterward. Of course, all the 
>    Cisco box gives me is "Authentication Failure." Unfortunately, I do
>    not have a choice as to whether or not to use this product.

In case it may help, you can find more detail about the
preauthentication failure in the syslog output from the KDC.
The error message can be a little misleading - I believe
"No such file or directory" really means that the key was
wrong.  Other errors are "no valid preauth type", which
I think may commonly be a Microsoft issue, and "Clock skew
too great."  These messages appear on a separate line, so
you have to locate the failure event in the log and then
look for diagnostic messages on the line before.

> 2. Assuming I have no choice but to turn off preauth for the Cisco box,
>    is there any way to make SSH ticket forwarding work with preauth
>    turned off? It works just fine as my system stands with preauth turned
>    on, but when preauth goes off, ticket forwarding stops working. This
>    makes sense as a security feature and I realize I am shooting myself
>    in the foot, but I am being ordered to shoot myself in the foot, and 
>    I am trying to minimize immediate bleeding. :)

I would be surprised if preauthentication has any effect on
the subsequent properties of the credentials, anyway, so I
can't answer this one.

> 3. Does anyone have experience making MIT Kerberos work with a Cisco 
>    VPN 3000? I've looked through the Cisco documentation and it doesn't
>    mention preauth or really much of anything except how to format your
>    @ signs. 

Sorry!

   Donn Cave, donn at u.washington.edu

More information about the Kerberos mailing list