Preauth mechanism provision in MIT kerberos

Marcus Watts mdw at spam.ifs.umich.edu
Thu Jul 19 01:51:16 EDT 2007


Writes "Gopal Paliwal" <gopalpaliwal at gmail.com>:
> Date:    Wed, 18 Jul 2007 16:15:00 PDT
> To:      "Marcus Watts" <mdw at spam.ifs.umich.edu>, kerberos at mit.edu
> From:    "Gopal Paliwal" <gopalpaliwal at gmail.com>
> Subject: Re: Preauth mechanism provision in MIT kerberos
> 
> Hi,
> 
> The solution you guys provided help me.
> Though I now observe following things on ethereal.
> 
> 1)for the first time krb5_AS_REQ goes whenever user enters his username.
> 2) Authentication server responds back by giving error as "PRE_AUTH
> REQUIRED"
> 3) Now new krb5_AS_REQ request gets formed with encrypted time-stamp.
> 4)Authentication server sends krb5_AS_RES this time with session key &
> tickets.
> 
> I am curious why first two messages were generated. It makes sense though
> that only authentication server knows that a particular user requires
> pre_auth & the user will be unaware of this fact before it receives
> "PRE_AUTH REQUIRED" error. Still, is there any way where I would be able to
> avoid the flow of first two messages.
> 
> Thanks again,
> Gopal

There is absolutely no way the server can force the client
to not send the 1st 2 messages.  This is, as you observe,
the way things work.

It *is* possible for the client to just assume the server
will understand timestamp preauth and send it initially.
>From a program, looks like you want to call
	krb5_get_init_creds_opt_set_preauth_list
and pass in
	KRB5_PADATA_ENC_TIMESTAMP
an example of this is in the MIT source,
	clients/kpasswd/ksetpwd.c
A weakness of doing it this way (which you can see evidence of in
ksetpwd.c) is that you have to select an encryption type (and salt)
to use before talking to the kdc.

Another way that seems to want to do this in MIT kerberos 1.5+
is:
	kinit -X type=value
or from a program,
	krb5_get_init_creds_opt_set_pa
to make this actually work you apparently have to write a preauth
plugin.

				-Marcus Watts



More information about the Kerberos mailing list