Preauth mechanism provision in MIT kerberos

Gopal Paliwal gopalpaliwal at gmail.com
Wed Jul 18 03:39:35 EDT 2007


Hi Friends,

Recently I set up the whole kerberos system using MIT kerberos 1.6.1. When I
run the kinit command i observe the results on ethereal.
Following is my observation:
$>kinit <username>
I observe that as soon as I enter above command, ethereal captures 2 packets
namely KRB5_AS_REQ and KRB5_AS_RES. After that I type pasword at my end to
whuch is used to decrypt the session key(between TGS & Client), I get in
response.

I assume that for the above case "pre-auth mehanism" in kerberos is not
activated. Even when I look at the code & RFC, I observe that preauth
mechanism is optional.

I wish to activate this mechanism for my set-up so that the password
generated key will be used to encrypt the time-stamp at the client side and
this encrypted stamp will be carried by the KRB5_AS_REQ to authentication
server.
That means I should see above message flow on the ethereal only when the
user types both its username and password for kinit command.

Could any one tell me how do I activate this preauth mechanism in my
kerberos if my above assumption is on the correct track. And also point out
the files I need to change to activate this mechanism.

Thanks in advance.

Regards,
Gopal Paliwal



More information about the Kerberos mailing list