Preauth mechanism provision in MIT kerberos
Marcus Watts
mdw at spam.ifs.umich.edu
Wed Jul 18 15:34:43 EDT 2007
John Washington <jawashin at uiuc.edu> sent:
> Date: Wed, 18 Jul 2007 08:46:49 CDT
> To: Mike Dopheide <dopheide at ncsa.uiuc.edu>
> cc: kerberos at mit.edu
> From: John Washington <jawashin at uiuc.edu>
> Subject: Re: Preauth mechanism provision in MIT kerberos
...
> Well, you do that and set it as a default for all new priciples.
...
The only way to set it for existing principals is via 'modprinc'.
For new principals, you can set "default_principal_flags"
inside of kdc.conf [realms] your-realm {}, something like this:
...
acl_file = /var/krb5kdc/kadm5.acl
max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc
default_principal_flags = +preauth
...
Note that default_principal_flags is not necessarily
the default for principals you create for keytabs.
Also note that you may not *want* preauth for keytab principals;
it that's set, the keytab isn't useable by principals that
for some reason did not authenticate using preauth.
-Marcus Watts
More information about the Kerberos
mailing list