Configuring preauth
Tom Parker
tparker at cbnco.com
Thu Apr 15 14:23:30 EDT 2010
>From my understanding you need to enable preauth per principal.
When I enabled preauth on my server I had to write a little script that
added the +require_preauth to my users:
#!/bin/sh
USERS=$(echo "get_principals" | kadmin.local | grep -v \/ | grep -v
kadmin.local:)
### Note 'grep -v \/' is a \ and / not the letter V.
OPTIONS="+requires_preauth"
for PRINCIPAL in $USERS
do
echo "Updating $PRINCIPAL"
echo "modify_principal $OPTIONS $PRINCIPAL" | kadmin.local
>/dev/null
done
I also set
[realms]
MYREALM.COM
default_principal_flags = +preauth
in my kdc.conf to automatically add the +require_preauth flag to any new
principals.
Hope this helps.
On 04/15/2010 02:14 PM, Jeff Blaine wrote:
> MIT Kerberos 1.8, all Linux for now, custom build
>
> It's my understanding that the existence of a preauth
> module in lib/krb5/plugins makes the module required.
>
> Is that correct? I bet it's not, and if so, I would
> love to have someone explain what reality is.
>
> Is there any documentation on configuring preauth at
> all? I already found +require_preauth as part of
> addprinc/modprinc
>
> Thanks for any help!
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list