Preauth mechanism provision in MIT kerberos
John Washington
jawashin at uiuc.edu
Wed Jul 18 09:46:49 EDT 2007
Well, you do that and set it as a default for all new priciples.
* Mike Dopheide <dopheide at ncsa.uiuc.edu> [2007-07-18 08:22]:
> For an existing principal you can enable preauth from kadmin with:
>
> modprinc +requires_preauth principalname
>
> I don't know of a way to enable preauth globally aside from setting it
> for each principal.
>
> -Mike
>
> Gopal Paliwal wrote:
> > Hi Friends,
> >
> > Recently I set up the whole kerberos system using MIT kerberos 1.6.1. When I
> > run the kinit command i observe the results on ethereal.
> > Following is my observation:
> > $>kinit <username>
> > I observe that as soon as I enter above command, ethereal captures 2 packets
> > namely KRB5_AS_REQ and KRB5_AS_RES. After that I type pasword at my end to
> > whuch is used to decrypt the session key(between TGS & Client), I get in
> > response.
> >
> > I assume that for the above case "pre-auth mehanism" in kerberos is not
> > activated. Even when I look at the code & RFC, I observe that preauth
> > mechanism is optional.
> >
> > I wish to activate this mechanism for my set-up so that the password
> > generated key will be used to encrypt the time-stamp at the client side and
> > this encrypted stamp will be carried by the KRB5_AS_REQ to authentication
> > server.
> > That means I should see above message flow on the ethereal only when the
> > user types both its username and password for kinit command.
> >
> > Could any one tell me how do I activate this preauth mechanism in my
> > kerberos if my above assumption is on the correct track. And also point out
> > the files I need to change to activate this mechanism.
> >
> > Thanks in advance.
> >
> > Regards,
> > Gopal Paliwal
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
John Washington Security Officer,
University of Illinois Urbana-Champaign
More information about the Kerberos
mailing list