more than one-preauth mechanism support in kerberos
Gopal Paliwal
gopalpaliwal at gmail.com
Mon Aug 13 14:36:38 EDT 2007
>
> Thanks for reply kevin,
>
> I know that there is a preferred preauth list on the client side which it
> tries to read from libdefaults and if it doesn't get anything from there it
> feels up preauth-order on its side as "17 16 15 14" on its side. i.e it
> tries PKINIT preauth first and then goes for the type-2 (pa_enc_timestamp).
> I tried to include preauth type-32 yesterday itself before 17 in the above
> list but still it picked up type-2.
> Let me do some more changes client side so that it somehow uses type-32
> instead of 2 and I will let u know the outcome.
>
> -gopal
>
>
> On 8/13/07, Kevin Coffman <kwc at citi.umich.edu> wrote:
> >
> > On 8/13/07, Gopal Paliwal <gopalpaliwal at gmail.com> wrote:
> > > Hi Kevin,
> > >
> > > I mailed this querry to kerberos group some time back but i didnt get
> > any
> > > reply, could you please help me into this.
> > >
> > >
> > > I am implementing a OTP support mechanism in existing kerberos 1.6.1.
> > > Till now, i have done the server changes and the AS_REP contains one
> > more
> > > required timestamp as OTP one. I wish to know, will the existing
> > client be
> > > able to send 2 preauth sequences (one is pa_enc_timestamp) and the
> > other one
> > > is my declared preauth-using OTP.
> > > Or the client just sends any-one of the asked preauth type.
> > > I see that the server is able to support more than one preauth-type
> > sent by
> > > the client by making it verify each preauth type in a loop but i am
> > not sure
> > > about how the client behaves in sending multi-preauth types.
> > >
> > > I debugged the client code and I could make out that the client gets
> > my
> > > ceeated preauth mechanism as hint but still it selects time-stamp as a
> >
> > > default one to reply back. Then number I chose for my preauth type is
> > 32.
> > >
> > >
> > > Please help.
> > >
> > >
> > > Regards,
> > > -Gopal Paliwal
> >
> > There is a krb5.conf option, preferred_preauth_types, used by the
> > client code to determine the preferred list of preauth types to use.
> > I don't know if the client will ever send more than one preauth at a
> > time, but you can coerce it into preferring your preauth type over
> > timestamp by supplying this option.
> >
> > Let me know if this helps.
> >
> > K.C.
> >
>
>
More information about the Kerberos
mailing list